Sign-up

ID

VAR-202011-0887


CVE

CVE-2020-28242


TITLE

Asterisk Open Source  and  Certified Asterisk  Recursion control vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-013387

DESCRIPTION

An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5. If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur

Trust: 1.62

sources: NVD: CVE-2020-28242 // JVNDB: JVNDB-2020-013387

AFFECTED PRODUCTS

vendor:fedoraprojectmodel:fedorascope:eqversion:33

Trust: 1.0

vendor:sangomamodel:asteriskscope:gteversion:13.0

Trust: 1.0

vendor:sangomamodel:asteriskscope:gteversion:18.0

Trust: 1.0

vendor:asteriskmodel:certified asteriskscope:lteversion:16.8.0

Trust: 1.0

vendor:sangomamodel:asteriskscope:gteversion:16.0

Trust: 1.0

vendor:sangomamodel:asteriskscope:ltversion:13.37.1

Trust: 1.0

vendor:sangomamodel:asteriskscope:ltversion:18.0.1

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:9.0

Trust: 1.0

vendor:sangomamodel:asteriskscope:ltversion:17.8.1

Trust: 1.0

vendor:sangomamodel:asteriskscope:ltversion:16.14.1

Trust: 1.0

vendor:sangomamodel:asteriskscope:gteversion:17.0

Trust: 1.0

vendor:digiummodel:asterisk open sourcescope: - version: -

Trust: 0.8

vendor:digiummodel:certified asteriskscope:eqversion:16.8-cert5

Trust: 0.8

sources: JVNDB: JVNDB-2020-013387 // NVD: CVE-2020-28242

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-28242
value: MEDIUM

Trust: 1.0

NVD: CVE-2020-28242
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202011-675
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2020-28242
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2020-28242
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2020-28242
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2020-013387 // CNNVD: CNNVD-202011-675 // NVD: CVE-2020-28242

PROBLEMTYPE DATA

problemtype:CWE-674

Trust: 1.0

problemtype:Inappropriate recursive control (CWE-674) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2020-013387 // NVD: CVE-2020-28242

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202011-675

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202011-675

PATCH

title:AST-2020-002url:http://downloads.asterisk.org/pub/security/AST-2020-002.html

Trust: 0.8

title:Digium Asterisk Open Source and Certified Asterisk Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=135266

Trust: 0.6

sources: JVNDB: JVNDB-2020-013387 // CNNVD: CNNVD-202011-675

EXTERNAL IDS

db:NVDid:CVE-2020-28242

Trust: 2.4

db:JVNDBid:JVNDB-2020-013387

Trust: 0.8

db:CNNVDid:CNNVD-202011-675

Trust: 0.6

sources: JVNDB: JVNDB-2020-013387 // CNNVD: CNNVD-202011-675 // NVD: CVE-2020-28242

REFERENCES

url:http://downloads.asterisk.org/pub/security/ast-2020-002.html

Trust: 1.6

url:https://lists.debian.org/debian-lts-announce/2022/04/msg00001.html

Trust: 1.6

url:https://nvd.nist.gov/vuln/detail/cve-2020-28242

Trust: 1.4

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/qus54qtqcykr36eiulyd544gxda644hb/

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/qus54qtqcykr36eiulyd544gxda644hb/

Trust: 0.6

sources: JVNDB: JVNDB-2020-013387 // CNNVD: CNNVD-202011-675 // NVD: CVE-2020-28242

SOURCES

db:JVNDBid:JVNDB-2020-013387
db:CNNVDid:CNNVD-202011-675
db:NVDid:CVE-2020-28242

LAST UPDATE DATE

2024-11-23T22:11:15.384000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2020-013387date:2021-06-29T08:35:00
db:CNNVDid:CNNVD-202011-675date:2022-04-06T00:00:00
db:NVDid:CVE-2020-28242date:2024-11-21T05:22:30.340

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2020-013387date:2021-06-29T00:00:00
db:CNNVDid:CNNVD-202011-675date:2020-11-06T00:00:00
db:NVDid:CVE-2020-28242date:2020-11-06T06:15:11.930