Vulnerability Name:

CVE-2020-28327 (CCN-191388)

Assigned:2020-11-05
Published:2020-11-05
Updated:2020-11-20
Summary:A res_pjsip_session crash was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1. and Certified Asterisk before 16.8-cert5. Upon receiving a new SIP Invite, Asterisk did not return the created dialog locked or referenced. This caused a gap between the creation of the dialog object, and its next use by the thread that created it. Depending on some off-nominal circumstances and timing, it was possible for another thread to free said dialog in this gap. Asterisk could then crash when the dialog object, or any of its dependent objects, were dereferenced or accessed next by the initial-creation thread. Note, however, that this crash can only occur when using a connection-oriented protocol (e.g., TCP or TLS, but not UDP) for SIP transport. Also, the remote client must be authenticated, or Asterisk must be configured for anonymous calling.
CVSS v3 Severity:5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:2.1 Low (CVSS v2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-404
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2020-28327

Source: CCN
Type: Asterisk Project Security Advisory - AST-2020-001
Remote crash in res_pjsip_session

Source: MISC
Type: Patch, Vendor Advisory
http://downloads.asterisk.org/pub/security/AST-2020-001.html

Source: XF
Type: UNKNOWN
asterisk-cve202028327-dos(191388)

Source: MISC
Type: Exploit, Issue Tracking, Vendor Advisory
https://issues.asterisk.org/jira/browse/ASTERISK-29057

Source: CCN
Type: Packet Storm Security [11-06-2020]
Asterisk 17.6.0 / 17.5.1 Denial Of Service

Vulnerable Configuration:Configuration 1:
  • cpe:/a:asterisk:open_source:*:*:*:*:*:*:*:* (Version >= 13.0.0 and < 13.37.1)
  • OR cpe:/a:asterisk:open_source:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.14.1)
  • OR cpe:/a:asterisk:open_source:*:*:*:*:*:*:*:* (Version >= 17.0.0 and < 17.8.1)
  • OR cpe:/a:asterisk:open_source:*:*:*:*:*:*:*:* (Version >= 18.0.0 and < 18.0.1)
  • OR cpe:/a:digium:certified_asterisk:16.8:-:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert1-rc1:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert1-rc2:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert1-rc3:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert1-rc4:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert2:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert3:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert4:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert4-rc1:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert4-rc2:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert4-rc3:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert4-rc4:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    asterisk open source *
    asterisk open source *
    asterisk open source *
    asterisk open source *
    digium certified asterisk 16.8 -
    digium certified asterisk 16.8 cert1-rc1
    digium certified asterisk 16.8 cert1-rc2
    digium certified asterisk 16.8 cert1-rc3
    digium certified asterisk 16.8 cert1-rc4
    digium certified asterisk 16.8 cert2
    digium certified asterisk 16.8 cert3
    digium certified asterisk 16.8 cert4
    digium certified asterisk 16.8 cert4-rc1
    digium certified asterisk 16.8 cert4-rc2
    digium certified asterisk 16.8 cert4-rc3
    digium certified asterisk 16.8 cert4-rc4