Tags › CVE-2020-28327

Asterisk: crash via INVITE flood over TCP

Published on Nov 6, 2020 in CVE-2020-28327, asterisk, denial of service, security advisory

Fixed versions: 13.37.1, 16.14.1, 17.8.1, 18.0.1
Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2020-02-asterisk-tcp-invite-crash/
Reproduction tools: https://github.com/EnableSecurity/advisories/tree/master/ES2020-02-asterisk-tcp-invite-crash
Asterisk Security Advisory: https://downloads.asterisk.org/pub/security/AST-2020-001.html
References: AST-2020-001, CVE-2020-28327
Tested vulnerable versions: 17.5.1, 17.6.0
Timeline:
- Report date: 2020-08-31
- Triaged: 2020-09-01
- Fix provided for testing: 2020-10-29
- Asterisk release with fix: 2020-11-05
- Enable Security advisory: 2020-11-06

Description

When an Asterisk instance is flooded with INVITE messages over TCP, it was observed that after some time Asterisk crashes due to a segmentation fault. The backtrace generated after the crash is:

…

Tags › CVE-2020-28327

Asterisk: crash via INVITE flood over TCP

Description

Subscribe