CVE-2020-28242
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
06/11/2020
Last modified:
15/08/2024
Description
An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5. If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur.
Impact
Base Score 3.x
6.50
Severity 3.x
MEDIUM
Base Score 2.0
4.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:asterisk:certified_asterisk:*:*:*:*:*:*:*:* | 16.8.0 (including) | |
| cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:* | 13.0 (including) | 13.37.1 (excluding) |
| cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:* | 16.0 (including) | 16.14.1 (excluding) |
| cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:* | 17.0 (including) | 17.8.1 (excluding) |
| cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:* | 18.0 (including) | 18.0.1 (excluding) |
| cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page