Vulnerability Description
The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1.0.x, 1.2.x before 1.2.28, and 1.4.x before 1.4.19.1; Business Edition A.x.x, B.x.x before B.2.5.2, and C.x.x before C.1.8.1; AsteriskNOW before 1.0.3; Appliance Developer Kit 0.x.x; and s800i before 1.1.0.3, when configured to allow unauthenticated calls, does not verify that an ACK response contains a call number matching the server's reply to a NEW message, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed ACK response that does not complete a 3-way handshake. NOTE: this issue exists because of an incomplete fix for CVE-2008-1923.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Asterisk | Asterisk Appliance Developer Kit | 0.2 |
| Asterisk | Asterisk Business Edition | <= b.2.5.1 |
| Asterisk | Asterisknow | <= 1.0.2 |
| Asterisk | Open Source | <= 1.2.27 |
| Asterisk | S800I | <= 1.1.0.2 |
Related Weaknesses (CWE)
References
- http://bugs.digium.com/view.php?id=10078
- http://downloads.digium.com/pub/security/AST-2008-006.html
- http://secunia.com/advisories/29927Vendor Advisory
- http://secunia.com/advisories/30010Vendor Advisory
- http://secunia.com/advisories/30042Vendor Advisory
- http://secunia.com/advisories/34982
- http://security.gentoo.org/glsa/glsa-200905-01.xml
- http://www.altsci.com/concepts/page.php?s=asteri&p=2
- http://www.debian.org/security/2008/dsa-1563
- http://www.securityfocus.com/archive/1/491220/100/0/threaded
- http://www.securityfocus.com/bid/28901
- http://www.securitytracker.com/id?1019918
- http://www.vupen.com/english/advisories/2008/1324
- https://downloads.asterisk.org/pub/security/AST-2008-006.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/41966
FAQ
What is CVE-2008-1897?
CVE-2008-1897 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1.0.x, 1.2.x before 1.2.28, and 1.4.x before 1.4.19.1; Business Edition A.x.x, B.x.x before B.2.5.2, and C.x.x before C.1.8.1; AsteriskNOW b...
How severe is CVE-2008-1897?
CVE-2008-1897 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2008-1897?
Check the references section above for vendor advisories and patch information. Affected products include: Asterisk Asterisk Appliance Developer Kit, Asterisk Asterisk Business Edition, Asterisk Asterisknow, Asterisk Open Source, Asterisk S800I.