Bug#1059033: asterisk: CVE-2023-49786

Salvatore Bonaccorso carnil at debian.org
Tue Dec 19 15:28:24 GMT 2023


Source: asterisk
Version: 1:20.5.0~dfsg+~cs6.13.40431414-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for asterisk.

CVE-2023-49786[0]:
| Asterisk is an open source private branch exchange and telephony
| toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1;
| as well as certified-asterisk prior to 18.9-cert6; Asterisk is
| susceptible to a DoS due to a race condition in the hello handshake
| phase of the DTLS protocol when handling DTLS-SRTP for media setup.
| This attack can be done continuously, thus denying new DTLS-SRTP
| encrypted calls during the attack. Abuse of this vulnerability may
| lead to a massive Denial of Service on vulnerable Asterisk servers
| for calls that rely on DTLS-SRTP. Commit
| d7d7764cb07c8a1872804321302ef93bf62cba05 contains a fix, which is
| part of versions 18.20.1, 20.5.1, 21.0.1, amd 18.9-cert6.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-49786
    https://www.cve.org/CVERecord?id=CVE-2023-49786
[1] https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq
[2] https://github.com/asterisk/asterisk/commit/d7d7764cb07c8a1872804321302ef93bf62cba05

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



More information about the Pkg-voip-maintainers mailing list