Asterisk Project Security Advisory – AST-2020-002

         Product        Asterisk                                              
         Summary        Outbound INVITE loop on challenge with different      
    Nature of Advisory  Denial of Service                                     
      Susceptibility    Remote Authenticated Sessions                         
         Severity       Minor                                                 
      Exploits Known    Yes                                                   
       Reported On      July 28, 2020                                         
       Reported By      Sebastian Damm, Ruslan Lazin                          
        Posted On       November 5, 2020                                      
     Last Updated On    November 5, 2020                                      
     Advisory Contact   bford AT sangoma DOT com                              
         CVE Name       

      Description     If Asterisk is challenged on an outbound INVITE and     
                      the nonce is changed in each response, Asterisk will    
                      continually send INVITEs in a loop. This causes         
                      Asterisk to consume more and more memory since the      
                      transaction will never terminate (even if the call is   
                      hung up), ultimately leading to a restart or shutdown   
                      of Asterisk. Outbound authentication must be            
                      configured on the endpoint for this to occur.           
    Modules Affected  res_pjsip                                               

    Resolution  In the fixed versions of Asterisk, a counter has been added   
                that will automatically stop sending INVITEs after reaching   
                the limit.                                                    

                               Affected Versions       
                         Product                       Release  
                  Asterisk Open Source                  13.x    All versions  
                  Asterisk Open Source                  16.x    All versions  
                  Asterisk Open Source                  17.x    All versions  
                  Asterisk Open Source                  18.x    All versions  
                   Certified Asterisk                   16.8    All versions  

                                  Corrected In                    
                              Product                              Release    
                        Asterisk Open Source                       13.37.1    
                        Asterisk Open Source                       16.14.1    
                        Asterisk Open Source                        17.8.1    
                        Asterisk Open Source                        18.0.1    
                         Certified Asterisk                       16.8-cert5  

                                SVN URL                               Revision   Asterisk   
                                                                     13      Asterisk   
                                                                     16       Asterisk   
                                                                     17       Asterisk   
                                                                     18    Certified  


    Asterisk Project Security Advisories are posted at                                                             
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                             and                        

                                Revision History  
                        Date                       Editor    Revisions Made   
    November 5, 2020                              Ben Ford  Initial Revision  

                      Asterisk Project Security Advisory -
               Copyright © 2019 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

-- Bandwidth and Colocation Provided by --

asterisk-announce mailing list
To UNSUBSCRIBE or update options visit:

Reply via email to