CVE-2020-28242
MEDIUMAsterisk Open Source <13.37.1,16.14.1,17.8.1,18.0.1 - DoS
Title source: llmDescription
An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5. If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_misc
http://downloads.asterisk.org/pub/security/AST-2020-002.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUS54QTQCYKR36EIULYD544GXDA644HB/
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2022/04/msg00001.html
Scores
CVSS v3
6.5
EPSS
0.0154
EPSS Percentile
71.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-674
Status
published
Products (4)
asterisk/certified_asterisk
< 16.8.0
debian/debian_linux
9.0
fedoraproject/fedora
33
sangoma/asterisk
13.0 - 13.37.1
Published
Nov 06, 2020
Tracked Since
Feb 18, 2026