CVE-2023-49786

Published: Dic 14, 2023 Last Modified: Nov 21, 2024 EU-VD ID: EUVD-2023-53705 Aliases: GSD-2023-49786
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 7,5
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: none
Integrity: none
Availability: high

Description

AI Translation Available

Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1; as well as certified-asterisk prior to 18.9-cert6; Asterisk is susceptible to a DoS due to a race condition in the hello handshake phase of the DTLS protocol when handling DTLS-SRTP for media setup. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable Asterisk servers for calls that rely on DTLS-SRTP. Commit d7d7764cb07c8a1872804321302ef93bf62cba05 contains a fix, which is part of versions 18.20.1, 20.5.1, 21.0.1, amd 18.9-cert6.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0007
Percentile
0,2th
Updated

EPSS Score Trend (Last 90 Days)

362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Draft
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Availability Confidentiality Integrity Access Control
Potential Impacts:
Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other) Dos: Crash, Exit, Or Restart Dos: Instability Read Files Or Directories Read Application Data Execute Unauthorized Code Or Commands Gain Privileges Or Assume Identity Bypass Protection Mechanism
Applicable Platforms
Languages: C, C++, Java
Technologies: ICS/OT, Mobile
Likelihood of Exploit: Medium
View CWE Details
703

Improper Check or Handling of Exceptional Conditions

Incomplete
Abstraction: Pillar Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Availability Integrity
Potential Impacts:
Read Application Data Dos: Crash, Exit, Or Restart Unexpected State
Applicable Platforms
All platforms may be affected
View CWE Details
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 13.13.0
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc4:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 13.13.0
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert3:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 18.9
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert3:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert4:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert8:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:-:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 18.9
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert5:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 13.13.0
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert7:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 13.13.0
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert2:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 13.13.0
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc2:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 13.13.0
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:rc1:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 13.13.0
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc1:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 18.9
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 18.9
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert4:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 18.9
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert2:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert2:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert3:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Asterisk by Digium

Product Information
Vendor Digium
Product Asterisk
Version Range Affected
To 18.20.1 (exclusive)
cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert11:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert1:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert12:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 13.13.0
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:rc2:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert9:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert6:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 13.13.0
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Asterisk by Digium

Product Information
Vendor Digium
Product Asterisk
Version 21.0.0
cpe:2.3:a:digium:asterisk:21.0.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert5:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 13.13.0
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc3:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert10:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Asterisk by Digium

Product Information
Vendor Digium
Product Asterisk
Version Range Affected
From 19.0.0 (inclusive)
To 20.5.1 (exclusive)
cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
http://packetstormsecurity.com/files/176251/Asterisk-20.1.0…
Exploit Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/176251/Asterisk-20.1.0-Denial-Of-Service.h…
http://seclists.org/fulldisclosure/2023/Dec/24
Exploit Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2023/Dec/24
https://github.com/asterisk/asterisk/commit/d7d7764cb07c8a1…
Patch
https://github.com/asterisk/asterisk/commit/d7d7764cb07c8a1872804321302ef93bf62…
https://github.com/asterisk/asterisk/security/advisories/GH…
Exploit Vendor Advisory
https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq
https://github.com/EnableSecurity/advisories/tree/master/ES…
Exploit
https://github.com/EnableSecurity/advisories/tree/master/ES2023-01-asterisk-dtl…
https://lists.debian.org/debian-lts-announce/2023/12/msg000…
https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html
http://www.openwall.com/lists/oss-security/2023/12/15/7
Exploit Mailing List
http://www.openwall.com/lists/oss-security/2023/12/15/7
http://packetstormsecurity.com/files/176251/Asterisk-20.1.0…
Exploit Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/176251/Asterisk-20.1.0-Denial-Of-Service.h…
http://seclists.org/fulldisclosure/2023/Dec/24
Exploit Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2023/Dec/24
https://github.com/asterisk/asterisk/commit/d7d7764cb07c8a1…
Patch
https://github.com/asterisk/asterisk/commit/d7d7764cb07c8a1872804321302ef93bf62…
https://github.com/asterisk/asterisk/security/advisories/GH…
Exploit Vendor Advisory
https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq
https://github.com/EnableSecurity/advisories/tree/master/ES…
Exploit
https://github.com/EnableSecurity/advisories/tree/master/ES2023-01-asterisk-dtl…
https://lists.debian.org/debian-lts-announce/2023/12/msg000…
https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html
http://www.openwall.com/lists/oss-security/2023/12/15/7
Exploit Mailing List
http://www.openwall.com/lists/oss-security/2023/12/15/7