CVE-2023-49786
📋 TL;DR
A race condition in Asterisk's DTLS-SRTP handshake allows attackers to cause denial of service by preventing new encrypted calls from being established. This affects Asterisk servers using DTLS-SRTP for media encryption. The vulnerability can be exploited continuously to block all new DTLS-SRTP encrypted calls during an attack.
💻 Affected Systems
- Asterisk
- Certified Asterisk
📦 What is this software?
Asterisk by Digium
Asterisk by Digium
Asterisk by Digium
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for all new DTLS-SRTP encrypted calls, potentially affecting all telephony services on vulnerable servers during sustained attacks.
Likely Case
Intermittent call setup failures and degraded service availability for encrypted calls during attack periods.
If Mitigated
Minimal impact if patched or if DTLS-SRTP is disabled; unencrypted calls remain unaffected.
🎯 Exploit Status
Exploit requires network access to Asterisk's media ports and understanding of DTLS-SRTP protocol; public exploit details available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Asterisk 18.20.1, 20.5.1, 21.0.1, Certified Asterisk 18.9-cert6
Vendor Advisory: https://github.com/asterisk/asterisk/commit/d7d7764cb07c8a1872804321302ef93bf62cba05
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Update Asterisk to patched version using package manager or source compilation. 3. Restart Asterisk service. 4. Verify version and functionality.
🔧 Temporary Workarounds
Disable DTLS-SRTP
allTemporarily disable DTLS-SRTP encryption for media streams (reduces security but eliminates vulnerability)
Edit sip.conf or pjsip.conf to remove 'media_encryption' or set to 'no'
Restart Asterisk after changes
Network Segmentation
linuxRestrict access to Asterisk media ports (UDP 10000-20000 by default) to trusted networks only
iptables -A INPUT -p udp --dport 10000:20000 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p udp --dport 10000:20000 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach Asterisk media ports
- Monitor for unusual DTLS handshake patterns and implement rate limiting if possible
🔍 How to Verify
Check if Vulnerable:
Check Asterisk version: asterisk -rx 'core show version' and compare against affected versionsCheck Version:
asterisk -rx 'core show version' | grep 'Asterisk'Verify Fix Applied:
Confirm version is 18.20.1, 20.5.1, 21.0.1 or higher, or 18.9-cert6 for Certified Asterisk📡 Detection & Monitoring
Log Indicators:
- Multiple DTLS handshake failures in short timeframes
- Failed call setups with DTLS-SRTP errors
- Unusual patterns of incoming UDP packets on media ports
Network Indicators:
- High volume of DTLS ClientHello packets from single sources
- Abnormal DTLS handshake sequences
- Spike in UDP traffic to media ports
SIEM Query:
source="asterisk.log" AND ("DTLS" AND "handshake" AND "failed") | stats count by src_ip🔗 References
- http://packetstormsecurity.com/files/176251/Asterisk-20.1.0-Denial-Of-Service.html
- http://seclists.org/fulldisclosure/2023/Dec/24
- http://www.openwall.com/lists/oss-security/2023/12/15/7
- https://github.com/EnableSecurity/advisories/tree/master/ES2023-01-asterisk-dtls-hello-race
- https://github.com/asterisk/asterisk/commit/d7d7764cb07c8a1872804321302ef93bf62cba05
- https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq
- https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html
- http://packetstormsecurity.com/files/176251/Asterisk-20.1.0-Denial-Of-Service.html
- http://seclists.org/fulldisclosure/2023/Dec/24
- http://www.openwall.com/lists/oss-security/2023/12/15/7
- https://github.com/EnableSecurity/advisories/tree/master/ES2023-01-asterisk-dtls-hello-race
- https://github.com/asterisk/asterisk/commit/d7d7764cb07c8a1872804321302ef93bf62cba05
- https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq
- https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html
