Unauthenticated Call Handling Flaw in Asterisk Voice Communication Software
CVE-2008-1897

Currently unrated

Key Information:

Vendor: Asterisk
Status: Asterisk Business Edition; Asterisk Appliance Developer Kit; Open Source; S800i
Vendor: CVE Published:; 23 April 2008

Summary

The IAX2 channel driver in Asterisk versions prior to specified releases fails to validate the call identifier in ACK responses for unauthenticated calls. This oversight enables remote attackers to exploit the system by sending spoofed ACK responses, disrupting the normal traffic flow and potentially leading to service outages. This vulnerability underscores the importance of stringent authentication and verification mechanisms in VoIP systems to mitigate potential attacks.

References

http://security.gentoo.org/glsa/glsa-200905-01.xml

vendor-advisory

http://secunia.com/advisories/29927

third-party-advisory

https://exchange.xforce.ibmcloud.com/vulnerabilities/41966

vdb-entry

Timeline

Vulnerability published
Apr 23, 2008
Vulnerability Reserved
Apr 20, 2008