Digium · Asterisk Business Edition · CVE-2008-1897
**Name of the Vulnerable Software and Affected Versions**
Asterisk Open Source versions 1.0.x through 1.2.27 and versions 1.4.x through 1.4.18
Asterisk Business Edition versions A.x.x through B.2.5.1 and versions C.x.x through C.1.8.0
AsteriskNOW versions prior to 1.0.3
Appliance Developer Kit versions 0.x.x
s800i versions prior to 1.1.0.3
**Description**
The issue allows remote attackers to cause a denial of service via a spoofed ACK response that does not complete a 3-way handshake, resulting in traffic amplification. This occurs when the IAX2 channel driver is configured to allow unauthenticated calls and fails to verify that an ACK response contains a call number matching the server's reply to a NEW message.
**Recommendations**
For Asterisk Open Source versions 1.0.x through 1.2.27, update to version 1.2.28 or later.
For Asterisk Open Source versions 1.4.x through 1.4.18, update to version 1.4.19.1 or later.
For Asterisk Business Edition versions A.x.x through B.2.5.1, update to version B.2.5.2 or later.
For Asterisk Business Edition versions C.x.x through C.1.8.0, update to version C.1.8.1 or later.
For AsteriskNOW versions prior to 1.0.3, update to version 1.0.3 or later.
For Appliance Developer Kit versions 0.x.x, there is no information about a newer version that contains a fix for this issue.
For s800i versions prior to 1.1.0.3, update to version 1.1.0.3 or later.