Tags › CVE-2023-49786

Asterisk: denial of service via DTLS Hello packets during call initiation

Published on Dec 15, 2023 in CVE-2023-49786, asterisk, denial of service, security advisory

Fixed versions: 18.20.1, 20.5.1, 21.0.1,18.9-cert6
Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2023-01-asterisk-dtls-hello-race/
Vendor Security Advisory: https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq
Other references: CVE-2023-49786
Tested vulnerable versions: 20.1.0
Timeline:
- Report date: 2023-09-27
- Triaged: 2023-09-27
- Fix provided for testing: 2023-11-09
- Vendor release with fix: 2023-12-14
- Enable Security advisory: 2023-12-15

TL;DR

When handling DTLS-SRTP for media setup, Asterisk is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack.

…

Tags › CVE-2023-49786

Asterisk: denial of service via DTLS Hello packets during call initiation

TL;DR

Subscribe