// For flags

CVE-2020-28242

 

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5. If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur.

Se detectó un problema en Asterisk Open Source versiones 13.x anteriores a 13.37.1, versiones 16.x anteriores a 16.14.1, versiones 17.x anteriores a 17.8.1 y versiones 18.x anteriores a 18.0.1 y Certified Asterisk versiones anteriores a 16.8-cert5. Si Asterisk es desafiado en un INVITE saliente y el nonce es cambiado en cada respuesta, Asterisk enviará los INVITE continuamente en un bucle. Esto causa que Asterisk consuma más y más memoria ya que la transacción nunca terminará (incluso si la llamada se cuelga), lo que a la larga conllevará a un reinicio o cierre de Asterisk. Para que esto ocurra, la autenticación saliente debe ser configurada en el endpoint

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-11-06 CVE Reserved
  • 2020-11-06 CVE Published
  • 2024-08-04 CVE Updated
  • 2024-08-16 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-674: Uncontrolled Recursion
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Asterisk
Search vendor "Asterisk"
Certified Asterisk
Search vendor "Asterisk" for product "Certified Asterisk"
<= 16.8.0
Search vendor "Asterisk" for product "Certified Asterisk" and version " <= 16.8.0"
-
Affected
Asterisk
Search vendor "Asterisk"
Open Source
Search vendor "Asterisk" for product "Open Source"
>= 13.0 < 13.37.1
Search vendor "Asterisk" for product "Open Source" and version " >= 13.0 < 13.37.1"
-
Affected
Asterisk
Search vendor "Asterisk"
Open Source
Search vendor "Asterisk" for product "Open Source"
>= 16.0 < 16.14.1
Search vendor "Asterisk" for product "Open Source" and version " >= 16.0 < 16.14.1"
-
Affected
Asterisk
Search vendor "Asterisk"
Open Source
Search vendor "Asterisk" for product "Open Source"
>= 17.0 < 17.8.1
Search vendor "Asterisk" for product "Open Source" and version " >= 17.0 < 17.8.1"
-
Affected
Asterisk
Search vendor "Asterisk"
Open Source
Search vendor "Asterisk" for product "Open Source"
>= 18.0 < 18.0.1
Search vendor "Asterisk" for product "Open Source" and version " >= 18.0 < 18.0.1"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
33
Search vendor "Fedoraproject" for product "Fedora" and version "33"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected