Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation
CVE-2023-49786

7.5HIGH

Key Information:

Vendor

Asterisk

Status
Asterisk
Vendor
CVE Published:
14 December 2023

What is CVE-2023-49786?

Asterisk, an open source telephony toolkit, is affected by a Denial of Service vulnerability stemming from a race condition in the hello handshake phase of the DTLS protocol. These vulnerabilities allow attackers to continuously exploit the issue during DTLS-SRTP media setup, resulting in a denial of service for new DTLS-SRTP encrypted calls. This can significantly disrupt the functionality of Asterisk servers, potentially overwhelming them and preventing the establishment of new calls. Mitigation is available in updated versions including 18.20.1, 20.5.1, 21.0.1, and 18.9-cert6.

Affected Version(s)

asterisk < 18.20.1 < 18.20.1

asterisk >= 19.0.0, < 20.5.1 < 19.0.0, 20.5.1

asterisk = 21.0.0 = 21.0.0

References

https://github.com/asterisk/asterisk/security/advisories/...
x_refsource_CONFIRM
https://github.com/asterisk/asterisk/commit/d7d7764cb07c8...
x_refsource_MISC
https://github.com/EnableSecurity/advisories/tree/master/...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2023-49786 : Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation