1. Home
  2. CVE Database
  3. CVE-2020-28242
MEDIUM · 6.5

CVE-2020-28242

An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5. If Asterisk is challenged...

Vulnerability Description

An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5. If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH

Affected Products

VendorProductVersions
AsteriskCertified Asterisk<= 16.8.0
SangomaAsterisk>= 13.0, < 13.37.1
FedoraprojectFedora33
DebianDebian Linux9.0

Related Weaknesses (CWE)

CWE-674

References

FAQ

What is CVE-2020-28242?

CVE-2020-28242 is a vulnerability with a CVSS score of 6.5 (MEDIUM). An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5. If Asterisk is challenged...

How severe is CVE-2020-28242?

CVE-2020-28242 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-28242?

Check the references section above for vendor advisories and patch information. Affected products include: Asterisk Certified Asterisk, Sangoma Asterisk, Fedoraproject Fedora, Debian Debian Linux.