The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1.0.x, 1.2.x before 1.2.28, and 1.4.x before 1.4.19.1; Business Edition A.x.x, B.x.x before B.2.5.2, and C.x.x before C.1.8.1; AsteriskNOW before 1.0.3; Appliance Developer Kit 0.x.x; and s800i before 1.1.0.3, when configured to allow unauthenticated calls, does not verify that an ACK response contains a call number matching the server's reply to a NEW message, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed ACK response that does not complete a 3-way handshake. NOTE: this issue exists because of an incomplete fix for CVE-2008-1923.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.03481.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Asterisk
  • Asterisk Appliance Developer Kit
  • Asterisk Business Edition
  • Asterisknow
  • Open Source
  • S800i

Configuration 1 [-]

OR cpe:2.3:a:asterisk:asterisk_appliance_developer_kit:0.2:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisk_appliance_developer_kit:0.3:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisk_appliance_developer_kit:0.4:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisk_appliance_developer_kit:0.5:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisk_appliance_developer_kit:0.6:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisk_appliance_developer_kit:0.6.0:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisk_appliance_developer_kit:0.7:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisk_appliance_developer_kit:0.8:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisk_business_edition:*:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisk_business_edition:*:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisk_business_edition:a:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisk_business_edition:b.1.3.2:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisk_business_edition:b.1.3.3:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisk_business_edition:b.2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisk_business_edition:b.2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisk_business_edition:b.2.3.1:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisk_business_edition:b.2.3.2:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisk_business_edition:b.2.3.3:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisk_business_edition:b.2.3.4:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisk_business_edition:b.2.3.6:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisk_business_edition:b.2.5.0:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisk_business_edition:c.1.0:beta7:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisk_business_edition:c.1.0:beta8:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisk_business_edition:c.1.6:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisk_business_edition:c.1.6.1:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisk_business_edition:c.1.6.2:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisknow:*:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisknow:1.0:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:asterisknow:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:*:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:*:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.0:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.0:rc1:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.0:rc2:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.0.3:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.0.3.4:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.0.4:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.0.5:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.0.6:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.0.7:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.0.8:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.0.9:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.0.11:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.0.11:patch:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.0.11.1:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.0.11.1:patch:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.0.12:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.0.12:patch:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.0:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.0:beta1:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.0:beta2:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.0:rc1:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.0:rc2:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.1:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.2:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.2:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.3:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.3:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.4:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.4:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.5:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.5:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.6:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.6:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.7:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.7:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.7.1:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.7.1:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.8:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.8:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.9:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.9.1:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.9.1:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.10:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.10:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.11:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.11:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.12:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.12:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.12.1:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.12.1:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.13:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.13:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.14:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.14:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.15:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.15:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.16:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.16:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.17:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.17:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.18:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.18:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.19:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.19:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.20:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.20:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.21:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.21:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.21.1:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.21.1:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.22:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.22:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.23:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.23:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.24:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.24:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.25:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.25:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.26:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.26:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.26.1:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.26.1:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.26.2:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.2.26.2:netsec:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.4.0:beta2:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.4.0:beta3:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.4.0:beta4:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.4.1:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.4.10:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.4.10.1:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.4.11:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.4.12:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.4.12.1:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.4.13:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.4.14:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.4.15:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.4.16:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.4.16.1:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.4.16.2:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.4.17:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.4.18:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:open_source:1.4.18.1:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:s800i:*:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:s800i:1.0:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:s800i:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:s800i:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:s800i:1.0.3:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:s800i:1.0.3.3:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:s800i:1.1.0:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:s800i:1.1.0.1:*:*:*:*:*:*:*

No data.

No data.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-1563-1 New asterisk packages fix denial of service
EUVD EUVD EUVD-2008-1897 The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1.0.x, 1.2.x before 1.2.28, and 1.4.x before 1.4.19.1; Business Edition A.x.x, B.x.x before B.2.5.2, and C.x.x before C.1.8.1; AsteriskNOW before 1.0.3; Appliance Developer Kit 0.x.x; and s800i before 1.1.0.3, when configured to allow unauthenticated calls, does not verify that an ACK response contains a call number matching the server's reply to a NEW message, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed ACK response that does not complete a 3-way handshake. NOTE: this issue exists because of an incomplete fix for CVE-2008-1923.
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
http://bugs.digium.com/view.php?id=10078 cve-icon cve-icon
http://downloads.digium.com/pub/security/AST-2008-006.html cve-icon cve-icon
http://secunia.com/advisories/29927 cve-icon cve-icon
http://secunia.com/advisories/30010 cve-icon cve-icon
http://secunia.com/advisories/30042 cve-icon cve-icon
http://secunia.com/advisories/34982 cve-icon cve-icon
http://security.gentoo.org/glsa/glsa-200905-01.xml cve-icon cve-icon
http://www.altsci.com/concepts/page.php?s=asteri&p=2 cve-icon cve-icon
http://www.debian.org/security/2008/dsa-1563 cve-icon cve-icon
http://www.securityfocus.com/archive/1/491220/100/0/threaded cve-icon cve-icon
http://www.securityfocus.com/bid/28901 cve-icon cve-icon
http://www.securitytracker.com/id?1019918 cve-icon cve-icon
http://www.vupen.com/english/advisories/2008/1324 cve-icon cve-icon
https://downloads.asterisk.org/pub/security/AST-2008-006.html cve-icon cve-icon
https://exchange.xforce.ibmcloud.com/vulnerabilities/41966 cve-icon cve-icon
https://github.com/jcollie/asterisk/commit/60de4fbbdf3ede49f158e23a9e3b679f2e519c1e cve-icon cve-icon
https://github.com/jcollie/asterisk/commit/771b3d8749b34b6eea4e03a2e514380da9582f90 cve-icon cve-icon
https://github.com/jcollie/asterisk/commit/a8b180875b037b8da26f6a3bcc8e5e98b8c904d2 cve-icon cve-icon
https://github.com/kaoru6/asterisk/commit/1fe14f38dd43dc894d21f85762b51208ba5c8acb cve-icon cve-icon
https://github.com/lyx2014/Asterisk/commit/0670e43c30135044e25cca7f80e1833e2c128653 cve-icon cve-icon
https://github.com/mojolingo/asterisk/commit/20ac3662f137dbf7f42d5295590069a7d3b1166b cve-icon cve-icon
https://github.com/pruiz/asterisk/commit/e0ef9bd22810c6969a7f222eec04798f19a7e2d6 cve-icon cve-icon
https://github.com/silentindark/asterisk-1/commit/fe8b7f31db687f8b9992864b82c93d22833019c7 cve-icon cve-icon
https://github.com/xrg/asterisk-xrg/commit/10da3dab24e8ca08cf2c983f8d0206e383535b5a cve-icon cve-icon
https://github.com/xrg/asterisk-xrg/commit/51714a24347dc57f9a208a4a8af84115ef407b83 cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2008-1897 cve-icon
https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00581.html cve-icon cve-icon
https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00600.html cve-icon cve-icon
History

Wed, 28 May 2025 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 22 May 2025 04:30:00 +0000

Type Values Removed Values Added
References
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2024-08-07T08:40:59.845Z

Reserved: 2008-04-20T00:00:00

Link: CVE-2008-1897

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2008-04-23T16:05:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2008-1897

cve-icon Redhat

Severity :

Publid Date: 2008-04-22T00:00:00Z

Links: CVE-2008-1897 - Bugzilla

cve-icon OpenCVE Enrichment

No data.