Asterisk Open Source SIP Session Crash Vulnerability
CVE-2020-28327

5.3MEDIUM

Key Information:

Vendor

Asterisk

Status
Open Source
Certified Asterisk
Vendor
CVE Published:
6 November 2020

What is CVE-2020-28327?

Asterisk Open Source versions 13.x, 16.x, 17.x, and 18.x, along with Certified Asterisk, have a vulnerability that may lead to a program crash when certain SIP requests are processed. Specifically, when a new SIP Invite is received, Asterisk fails to properly handle the dialog object, allowing it to be freed by another thread in a race condition scenario. This issue occurs under specific conditions where connection-oriented protocols like TCP or TLS are used for SIP transport and can potentially affect authenticated remote clients or configurations that allow anonymous calling.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

http://downloads.asterisk.org/pub/security/AST-2020-001.html
x_refsource_MISC
https://issues.asterisk.org/jira/browse/ASTERISK-29057
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.