CVE - CVE-2008-1897

CVE-ID
CVE-2008-1897	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1.0.x, 1.2.x before 1.2.28, and 1.4.x before 1.4.19.1; Business Edition A.x.x, B.x.x before B.2.5.2, and C.x.x before C.1.8.1; AsteriskNOW before 1.0.3; Appliance Developer Kit 0.x.x; and s800i before 1.1.0.3, when configured to allow unauthenticated calls, does not verify that an ACK response contains a call number matching the server's reply to a NEW message, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed ACK response that does not complete a 3-way handshake. NOTE: this issue exists because of an incomplete fix for CVE-2008-1923.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
BID:28901 URL:http://www.securityfocus.com/bid/28901 BUGTRAQ:20080422 AST-2008-006 - 3-way handshake in IAX2 incomplete URL:http://www.securityfocus.com/archive/1/491220/100/0/threaded CONFIRM:http://bugs.digium.com/view.php?id=10078 CONFIRM:http://downloads.digium.com/pub/security/AST-2008-006.html CONFIRM:https://downloads.asterisk.org/pub/security/AST-2008-006.html DEBIAN:DSA-1563 URL:http://www.debian.org/security/2008/dsa-1563 FEDORA:FEDORA-2008-3365 URL:https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00581.html FEDORA:FEDORA-2008-3390 URL:https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00600.html GENTOO:GLSA-200905-01 URL:http://security.gentoo.org/glsa/glsa-200905-01.xml MISC:http://www.altsci.com/concepts/page.php?s=asteri&p=2 MISC:https://downloads.asterisk.org/pub/security/AST-2008-006.html MISC:https://github.com/jcollie/asterisk/commit/60de4fbbdf3ede49f158e23a9e3b679f2e519c1e MISC:https://github.com/jcollie/asterisk/commit/771b3d8749b34b6eea4e03a2e514380da9582f90 MISC:https://github.com/jcollie/asterisk/commit/a8b180875b037b8da26f6a3bcc8e5e98b8c904d2 MISC:https://github.com/kaoru6/asterisk/commit/1fe14f38dd43dc894d21f85762b51208ba5c8acb MISC:https://github.com/lyx2014/Asterisk/commit/0670e43c30135044e25cca7f80e1833e2c128653 MISC:https://github.com/mojolingo/asterisk/commit/20ac3662f137dbf7f42d5295590069a7d3b1166b MISC:https://github.com/pruiz/asterisk/commit/e0ef9bd22810c6969a7f222eec04798f19a7e2d6 MISC:https://github.com/silentindark/asterisk-1/commit/fe8b7f31db687f8b9992864b82c93d22833019c7 MISC:https://github.com/xrg/asterisk-xrg/commit/10da3dab24e8ca08cf2c983f8d0206e383535b5a MISC:https://github.com/xrg/asterisk-xrg/commit/51714a24347dc57f9a208a4a8af84115ef407b83 SECTRACK:1019918 URL:http://www.securitytracker.com/id?1019918 SECUNIA:29927 URL:http://secunia.com/advisories/29927 SECUNIA:30010 URL:http://secunia.com/advisories/30010 SECUNIA:30042 URL:http://secunia.com/advisories/30042 SECUNIA:34982 URL:http://secunia.com/advisories/34982 VUPEN:ADV-2008-1324 URL:~~http://www.vupen.com/english/advisories/2008/1324~~ (Obsolete source) XF:asterisk-iax2protocol-ack-dos(41966) URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/41966
Assigning CNA
MITRE Corporation
Date Record Created
20080420	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20080420)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)