CVE-2020-28242

Name of the Vulnerable Software and Affected Versions Asterisk Open Source versions 13.x through 13.37.0 Asterisk Open Source versions 16.x through 16.14.0 Asterisk Open Source versions 17.x through 17.8.0 Asterisk Open Source versions 18.x through 18.0.0 Certified Asterisk versions prior to 16.8-cert5

Description An issue was discovered where Asterisk, when challenged on an outbound INVITE and the nonce is changed in each response, will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate, ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur.

Recommendations For Asterisk Open Source versions 13.x through 13.37.0, update to version 13.37.1 or later. For Asterisk Open Source versions 16.x through 16.14.0, update to version 16.14.1 or later. For Asterisk Open Source versions 17.x through 17.8.0, update to version 17.8.1 or later. For Asterisk Open Source versions 18.x through 18.0.0, update to version 18.0.1 or later. For Certified Asterisk versions prior to 16.8-cert5, update to version 16.8-cert5 or later.