CVE-2008-1897 · threatengine.sh

Home/CVE/The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1.0.x, 1.2.x before 1.2.28, and 1.4.x before 1.4.19.1; Busin

CVE

CVE-2008-1897

The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1.0.x, 1.2.x before 1.2.28, and 1.4.x before 1.4.19.1; Busin

The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1.0.x, 1.2.x before 1.2.28, and 1.4.x before 1.4.19.1.

Business Edition A.x.x, B.x.x before B.2.5.2, and C.x.x before C.1.8.1.

AsteriskNOW before 1.0.3.

Appliance Developer Kit 0.x.x.

and s800i before 1.1.0.3, when configured to allow unauthenticated calls, does not verify that an ACK response contains a call number matching the server's reply to a NEW message, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed ACK response that does not complete a 3-way handshake. NOTE: this issue exists because of an incomplete fix for CVE-2008-1923.

MEDIUM · CVSS 4.3 EPSS 0.03049

Monitor

No active-exploitation, high-EPSS, or public-exploit signals - routine patching cadence

Sigma rules0 YARA rules0

⬡

Weakness Classification

CWE-287Improper Authentication

▤

Affected Products & Versions

9

asterisk appliance developer kitall versions
asterisk business edition<= b.2.5.1
asterisk business edition<= c1.8.0
asterisk business editionall versions
asterisk asterisknow<= 1.0.2
asterisk asterisknowall versions
asterisk open source<= 1.2.27
asterisk open source<= 1.4.19
Show all 9 affected productsasterisk open sourceall versions

▣

Scoring & Timeline

4.3

MEDIUM · CVSS v2 (legacy) · cve@mitre.org

View on NVD

This CVE predates CVSS v3; the legacy v2 score is shown so triage still has a severity to work with.

v2 Vector

AV:N/AC:M/Au:N/C:N/I:N/A:P

Published to NVD23 Apr 2008 · 04:05 PM

🔗

References & Sources

27

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

http://bugs.digium.com/view.php?id=10078

http://downloads.digium.com/pub/security/AST-2008-006.html

http://secunia.com/advisories/29927Vendor Advisory

http://secunia.com/advisories/30010Vendor Advisory

http://secunia.com/advisories/30042Vendor Advisory

http://secunia.com/advisories/34982

Show all 27 references

http://security.gentoo.org/glsa/glsa-200905-01.xml

http://www.altsci.com/concepts/page.php?s=asteri&p=2

http://www.debian.org/security/2008/dsa-1563

http://www.securityfocus.com/archive/1/491220/100/0/threaded

http://www.securityfocus.com/bid/28901

http://www.securitytracker.com/id?1019918

http://www.vupen.com/english/advisories/2008/1324

https://downloads.asterisk.org/pub/security/AST-2008-006.html

https://exchange.xforce.ibmcloud.com/vulnerabilities/41966

https://github.com/jcollie/asterisk/commit/60de4fbbdf3ede49f158e23a9e3b679f2e519c1e

https://github.com/jcollie/asterisk/commit/771b3d8749b34b6eea4e03a2e514380da9582f90

https://github.com/jcollie/asterisk/commit/a8b180875b037b8da26f6a3bcc8e5e98b8c904d2

https://github.com/kaoru6/asterisk/commit/1fe14f38dd43dc894d21f85762b51208ba5c8acb

https://github.com/lyx2014/Asterisk/commit/0670e43c30135044e25cca7f80e1833e2c128653

https://github.com/mojolingo/asterisk/commit/20ac3662f137dbf7f42d5295590069a7d3b1166b

https://github.com/pruiz/asterisk/commit/e0ef9bd22810c6969a7f222eec04798f19a7e2d6

https://github.com/silentindark/asterisk-1/commit/fe8b7f31db687f8b9992864b82c93d22833019c7

https://github.com/xrg/asterisk-xrg/commit/10da3dab24e8ca08cf2c983f8d0206e383535b5a

https://github.com/xrg/asterisk-xrg/commit/51714a24347dc57f9a208a4a8af84115ef407b83

https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00581.html

https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00600.html

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin