7.5
CVE-2023-49786
- EPSS 0.1%
- Veröffentlicht 14.12.2023 20:15:52
- Zuletzt bearbeitet 21.11.2024 08:33:50
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginAsterisk susceptible to Denial of Service via DTLS Hello packets during call initiation
Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1; as well as certified-asterisk prior to 18.9-cert6; Asterisk is susceptible to a DoS due to a race condition in the hello handshake phase of the DTLS protocol when handling DTLS-SRTP for media setup. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable Asterisk servers for calls that rely on DTLS-SRTP. Commit d7d7764cb07c8a1872804321302ef93bf62cba05 contains a fix, which is part of versions 18.20.1, 20.5.1, 21.0.1, amd 18.9-cert6.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Sangoma ≫ Certified Asterisk Version13.13.0
Sangoma ≫ Certified Asterisk Version13.13.0 Updatecert1
Sangoma ≫ Certified Asterisk Version13.13.0 Updatecert1-rc1
Sangoma ≫ Certified Asterisk Version13.13.0 Updatecert1-rc2
Sangoma ≫ Certified Asterisk Version13.13.0 Updatecert1-rc3
Sangoma ≫ Certified Asterisk Version13.13.0 Updatecert1-rc4
Sangoma ≫ Certified Asterisk Version13.13.0 Updatecert2
Sangoma ≫ Certified Asterisk Version13.13.0 Updatecert3
Sangoma ≫ Certified Asterisk Version13.13.0 Updaterc1
Sangoma ≫ Certified Asterisk Version13.13.0 Updaterc2
Sangoma ≫ Certified Asterisk Version16.8.0 Update-
Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert1
Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert10
Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert11
Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert12
Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert2
Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert3
Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert4
Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert5
Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert6
Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert7
Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert8
Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert9
Sangoma ≫ Certified Asterisk Version18.9 Updatecert1
Sangoma ≫ Certified Asterisk Version18.9 Updatecert2
Sangoma ≫ Certified Asterisk Version18.9 Updatecert3
Sangoma ≫ Certified Asterisk Version18.9 Updatecert4
Sangoma ≫ Certified Asterisk Version18.9 Updatecert5
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.1% | 0.269 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.9 | 2.2 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
|
| security-advisories@github.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
CWE-703 Improper Check or Handling of Exceptional Conditions
The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.