Asterisk Security Team
2020-Nov-05 22:24 UTC
[asterisk-users] AST-2020-002: Outbound INVITE loop on challenge with different nonce.
Asterisk Project Security Advisory – AST-2020-002
Product Asterisk
Summary Outbound INVITE loop on challenge with different
nonce.
Nature of Advisory Denial of Service
Susceptibility Remote Authenticated Sessions
Severity Minor
Exploits Known Yes
Reported On July 28, 2020
Reported By Sebastian Damm, Ruslan Lazin
Posted On November 5, 2020
Last Updated On November 5, 2020
Advisory Contact bford AT sangoma DOT com
CVE Name
Description If Asterisk is challenged on an outbound INVITE and
the nonce is changed in each response, Asterisk will
continually send INVITEs in a loop. This causes
Asterisk to consume more and more memory since the
transaction will never terminate (even if the call is
hung up), ultimately leading to a restart or shutdown
of Asterisk. Outbound authentication must be
configured on the endpoint for this to occur.
Modules Affected res_pjsip
Resolution In the fixed versions of Asterisk, a counter has been added
that will automatically stop sending INVITEs after reaching
the limit.
Affected Versions
Product Release
Series
Asterisk Open Source 13.x All versions
Asterisk Open Source 16.x All versions
Asterisk Open Source 17.x All versions
Asterisk Open Source 18.x All versions
Certified Asterisk 16.8 All versions
Corrected In
Product Release
Asterisk Open Source 13.37.1
Asterisk Open Source 16.14.1
Asterisk Open Source 17.8.1
Asterisk Open Source 18.0.1
Certified Asterisk 16.8-cert5
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2020-002-13.diff Asterisk
13
http://downloads.asterisk.org/pub/security/AST-2020-002-16.diff Asterisk
16
http://downloads.asterisk.org/pub/security/AST-2020-002-17.dif Asterisk
17
http://downloads.asterisk.org/pub/security/AST-2020-002-18.dif Asterisk
18
http://downloads.asterisk.org/pub/security/AST-2020-002-16.8.diff Certified
Asterisk
16.8-cert5
Links https://issues.asterisk.org/jira/browse/ASTERISK-29013
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2020-002.pdf and
http://downloads.digium.com/pub/security/AST-2020-002.html
Revision History
Date Editor Revisions Made
November 5, 2020 Ben Ford Initial Revision
Asterisk Project Security Advisory -
Copyright © 2019 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.