CVE-2023-49786

Exploit

EPSS 0.05%
Veröffentlicht 14.12.2023 20:15:52
Zuletzt bearbeitet 21.11.2024 08:33:50
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1; as well as certified-asterisk prior to 18.9-cert6; Asterisk is susceptible to a DoS due to a race condition in the hello handshake phase of the DTLS protocol when handling DTLS-SRTP for media setup. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable Asterisk servers for calls that rely on DTLS-SRTP. Commit d7d7764cb07c8a1872804321302ef93bf62cba05 contains a fix, which is part of versions 18.20.1, 20.5.1, 21.0.1, amd 18.9-cert6.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 10

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Digium ≫ Asterisk Version < 18.20.1

Digium ≫ Asterisk Version >= 19.0.0 < 20.5.1

Digium ≫ Asterisk Version21.0.0

Sangoma ≫ Certified Asterisk Version13.13.0

Sangoma ≫ Certified Asterisk Version13.13.0 Updatecert1

Sangoma ≫ Certified Asterisk Version13.13.0 Updatecert1-rc1

Sangoma ≫ Certified Asterisk Version13.13.0 Updatecert1-rc2

Sangoma ≫ Certified Asterisk Version13.13.0 Updatecert1-rc3

Sangoma ≫ Certified Asterisk Version13.13.0 Updatecert1-rc4

Sangoma ≫ Certified Asterisk Version13.13.0 Updatecert2

Sangoma ≫ Certified Asterisk Version13.13.0 Updatecert3

Sangoma ≫ Certified Asterisk Version13.13.0 Updaterc1

Sangoma ≫ Certified Asterisk Version13.13.0 Updaterc2

Sangoma ≫ Certified Asterisk Version16.8.0 Update-

Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert1

Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert10

Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert11

Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert12

Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert2

Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert3

Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert4

Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert5

Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert6

Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert7

Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert8

Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert9

Sangoma ≫ Certified Asterisk Version18.9 Updatecert1

Sangoma ≫ Certified Asterisk Version18.9 Updatecert2

Sangoma ≫ Certified Asterisk Version18.9 Updatecert3

Sangoma ≫ Certified Asterisk Version18.9 Updatecert4

Sangoma ≫ Certified Asterisk Version18.9 Updatecert5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.161

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

CWE-703 Improper Check or Handling of Exceptional Conditions

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.

https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html

http://packetstormsecurity.com/files/176251/Asterisk-20.1.0-Denial-Of-Service.html

Third Party Advisory

Exploit

VDB Entry

http://seclists.org/fulldisclosure/2023/Dec/24

Third Party Advisory

Exploit

Mailing List

http://www.openwall.com/lists/oss-security/2023/12/15/7