CVE-2023-49786

Name of the Vulnerable Software and Affected Versions Asterisk versions prior to 18.20.1 Asterisk versions prior to 20.5.1 Asterisk versions prior to 21.0.1 Certified Asterisk versions prior to 18.9-cert6

Description The issue is caused by a race condition in the hello handshake phase of the DTLS protocol when handling DTLS-SRTP for media setup. This can be exploited by a remote attacker to cause a denial of service, potentially leading to a massive denial of service on vulnerable Asterisk servers for calls that rely on DTLS-SRTP. The attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack.

Recommendations For Asterisk versions prior to 18.20.1, update to version 18.20.1 or later. For Asterisk versions prior to 20.5.1, update to version 20.5.1 or later. For Asterisk versions prior to 21.0.1, update to version 21.0.1 or later. For Certified Asterisk versions prior to 18.9-cert6, update to version 18.9-cert6 or later.