An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5. If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur.
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Certified_asterisk | Asterisk | * | 16.8.0 (including) |
| Open_source | Asterisk | 13.0 (including) | 13.37.1 (excluding) |
| Open_source | Asterisk | 16.0 (including) | 16.14.1 (excluding) |
| Open_source | Asterisk | 17.0 (including) | 17.8.1 (excluding) |
| Open_source | Asterisk | 18.0 (including) | 18.0.1 (excluding) |