CVE-2024-35190 — Incorrect Implementation of Authentication Algorithm in Asterisk

CWE-303 — Incorrect Implementation of Authentication Algorithm CWE-480 — Use of Incorrect Operator CWE-670 — Always-Incorrect Control Flow Implementation5 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.3%

top 43.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Asterisk Sangoma Asterisk Debian Asterisk

Timeline

PublishedMay 17

Latest updateMay 19

Description

Asterisk is an open source private branch exchange and telephony toolkit. After upgrade to 18.23.0, ALL unauthorized SIP requests are identified as PJSIP Endpoint of local asterisk server. This vulnerability is fixed in 18.23.1, 20.8.1, and 21.3.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶Alpineasterisk/asterisk< 18.24.3-r0+6

▶debiandebian/asterisk

▶NVDsangoma/asterisk18.23.0, 20.8.0, 21.3.0+2

▶CVEListV5asterisk/asterisk= 18.23.0, = 20.8.0, = 21.3.0+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2024-35190: Asterisk is an open source private branch exchange and telephony toolkit↗2024-05-17

▶

📋Vendor Advisories

Debian

CVE-2024-35190: asterisk - Asterisk is an open source private branch exchange and telephony toolkit. After ...↗2024

▶

💬Community

Bugzilla

CVE-2024-35190 asterisk: wrongly matches ALL unauthorized SIP requests [fedora-all]↗2024-05-19

▶

Bugzilla

CVE-2024-35190 asterisk: wrongly matches ALL unauthorized SIP requests [epel-all]↗2024-05-19

▶