CVE-2020-28242
First published: Fri Nov 06 2020(Updated: )
An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5. If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Asterisk Certified Asterisk | <=16.8.0 | |
| Asterisk Open Source | >=13.0<13.37.1 | |
| Asterisk Open Source | >=16.0<16.14.1 | |
| Asterisk Open Source | >=17.0<17.8.1 | |
| Asterisk Open Source | >=18.0<18.0.1 | |
| Fedoraproject Fedora | =33 | |
| Debian Debian Linux | =9.0 | |
| Sangoma Asterisk | >=13.0<13.37.1 | |
| Sangoma Asterisk | >=16.0<16.14.1 | |
| Sangoma Asterisk | >=17.0<17.8.1 | |
| Sangoma Asterisk | >=18.0<18.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://downloads.asterisk.org/pub/security/AST-2020-002.html
- https://lists.debian.org/debian-lts-announce/2022/04/msg00001.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QUS54QTQCYKR36EIULYD544GXDA644HB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUS54QTQCYKR36EIULYD544GXDA644HB/
Frequently Asked Questions
What is the severity of CVE-2020-28242?
The severity of CVE-2020-28242 is medium with a severity value of 6.5.
What software versions are affected by CVE-2020-28242?
CVE-2020-28242 affects Asterisk Open Source versions 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1, as well as Certified Asterisk before 16.8-cert5.
What is the CWE of CVE-2020-28242?
The CWE of CVE-2020-28242 is CWE-674.
How can I fix CVE-2020-28242?
To fix CVE-2020-28242, it is recommended to update Asterisk Open Source to version 13.37.1, 16.14.1, 17.8.1, or 18.0.1, or update Certified Asterisk to version 16.8-cert5.
Where can I find more information about CVE-2020-28242?
More information about CVE-2020-28242 can be found at the following references: [AST-2020-002](http://downloads.asterisk.org/pub/security/AST-2020-002.html), [Debian LTS](https://lists.debian.org/debian-lts-announce/2022/04/msg00001.html), [Fedora Project](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QUS54QTQCYKR36EIULYD544GXDA644HB/).
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/author
- agent/references
- agent/description
- agent/first-publish-date
- agent/event
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/asterisk
- canonical/asterisk certified asterisk
- version/asterisk certified asterisk/16.8.0
- canonical/asterisk open source
- version/asterisk open source/13.0
- version/asterisk open source/16.0
- version/asterisk open source/17.0
- version/asterisk open source/18.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- vendor/sangoma
- canonical/sangoma asterisk
- version/sangoma asterisk/13.0
- version/sangoma asterisk/16.0
- version/sangoma asterisk/17.0
- version/sangoma asterisk/18.0