CVE-2023-49786

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-49786
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-49786.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-49786
Aliases
  • GHSA-hxj9-xwr8-w8pq
Downstream
Published
2023-12-14T19:47:46Z
Modified
2025-10-30T20:24:05.887777Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation
Details

Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1; as well as certified-asterisk prior to 18.9-cert6; Asterisk is susceptible to a DoS due to a race condition in the hello handshake phase of the DTLS protocol when handling DTLS-SRTP for media setup. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable Asterisk servers for calls that rely on DTLS-SRTP. Commit d7d7764cb07c8a1872804321302ef93bf62cba05 contains a fix, which is part of versions 18.20.1, 20.5.1, 21.0.1, amd 18.9-cert6.

Database specific 
{
    "cwe_ids": [
        "CWE-703"
    ]
}
References

Affected packages

Git / github.com/asterisk/asterisk

Affected ranges

Type
GIT
Repo
https://github.com/asterisk/asterisk
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
14d0e59f3d8f7521621561168ef4a297702d978f
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "18.20.1"
        }
    ]
}
Type
GIT
Repo
https://github.com/asterisk/asterisk
Events
Introduced
de4f63b4824c91a0cd9f3d95f3b7923bec71960c
Fixed
f7a8ac086de697db30e376d589a6f4e17cfabef5
Database specific 
{
    "versions": [
        {
            "introduced": "19.0.0"
        },
        {
            "fixed": "20.5.1"
        }
    ]
}
Type
GIT
Repo
https://github.com/asterisk/asterisk
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
12da95e53ff42287ad69d6d5922e06c3d62010ac
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "= 21.0.0"
        }
    ]
}
Type
GIT
Repo
https://github.com/asterisk/asterisk
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
35e0c6c0f4ec35493e9a4bb938226722ded35c61
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "18.9-cert6"
        }
    ]
}

Affected versions

18.*

18.17.0
18.17.0-rc1
18.17.1
18.18.0
18.18.0-rc1
18.18.1
18.19.0
18.19.0-rc1
18.19.0-rc2
18.20.0
18.20.0-rc1
18.9.0
18.9.0-rc1

21.*

21.0.0
21.0.0-pre1
21.0.0-rc1

certified-18.*

certified-18.9-cert4
certified-18.9-cert5

certified/18.*

certified/18.9-cert1
certified/18.9-cert1-rc1
certified/18.9-cert2
certified/18.9-cert3
certified/18.9-cert4