Asterisk Open Source SIP Session Crash Vulnerability
CVE-2020-28327

5.3MEDIUM

Key Information:

Vendor: Asterisk
Status: Open Source; Certified Asterisk
Vendor: CVE Published:; 6 November 2020

What is CVE-2020-28327?

Asterisk Open Source versions 13.x, 16.x, 17.x, and 18.x, along with Certified Asterisk, have a vulnerability that may lead to a program crash when certain SIP requests are processed. Specifically, when a new SIP Invite is received, Asterisk fails to properly handle the dialog object, allowing it to be freed by another thread in a race condition scenario. This issue occurs under specific conditions where connection-oriented protocols like TCP or TLS are used for SIP transport and can potentially affect authenticated remote clients or configurations that allow anonymous calling.

References

http://downloads.asterisk.org/pub/security/AST-2020-001.html

x_refsource_MISC

https://issues.asterisk.org/jira/browse/ASTERISK-29057

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 6, 2020
Vulnerability Reserved
Nov 6, 2020