PT-2023-7749 · Sangoma+2 · Asterisk+2

Alfredfarrugia

Published

2023-09-27

Updated

2025-02-13

CVE-2023-49786

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Asterisk versions prior to 18.20.1 Asterisk versions prior to 20.5.1 Asterisk versions prior to 21.0.1 Certified Asterisk versions prior to 18.9-cert6

Description The issue is caused by a race condition in the hello handshake phase of the DTLS protocol when handling DTLS-SRTP for media setup. This can be exploited by a remote attacker to cause a denial of service, potentially leading to a massive denial of service on vulnerable Asterisk servers for calls that rely on DTLS-SRTP. The attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack.

Recommendations For Asterisk versions prior to 18.20.1, update to version 18.20.1 or later. For Asterisk versions prior to 20.5.1, update to version 20.5.1 or later. For Asterisk versions prior to 21.0.1, update to version 21.0.1 or later. For Certified Asterisk versions prior to 18.9-cert6, update to version 18.9-cert6 or later.

Exploit

Fix

DoS

Time Of Check To Time Of Use

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-367CWE-362CWE-703

Related Identifiers

ALT-PU-2025-2613

BDU:2023-08816

CVE-2023-49786

DLA-3696-1

DSA-5596-1

GHSA-HXJ9-XWR8-W8PQ

Affected Products

Alt Linux

Asterisk

Red Os

PT-2023-7749 · Sangoma+2 · Asterisk+2

CVE-2023-49786

Weakness Enumeration

Related Identifiers

Affected Products

References · 33