Memory Leak Vulnerability in Asterisk Open Source and Certified Asterisk Products
CVE-2020-28242

6.5MEDIUM

Key Information:

Vendor

Asterisk

Status
Open Source
Certified Asterisk
Vendor
CVE Published:
6 November 2020

What is CVE-2020-28242?

Asterisk Open Source and Certified Asterisk encounter a vulnerability that can lead to a memory leak under specific conditions. When challenged on an outbound INVITE, if the nonce changes with each response, it can cause a persistent loop of INVITE requests. This loop consumes an increasing amount of memory as the transactions do not terminate, even after a call is hung up. As a result, this culminates in a potential restart or shutdown of the Asterisk service, disrupting operations. The vulnerability requires that outbound authentication be configured on the endpoint to be exploited.

References

http://downloads.asterisk.org/pub/security/AST-2020-002.html
x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA
https://lists.debian.org/debian-lts-announce/2022/04/msg0...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.