CVE-2016-2316

high-risk
Published 2016-02-22

chan_sip in Asterisk Open Source 1.8.x, 11.x before 11.21.1, 12.x, and 13.x before 13.7.1 and Certified Asterisk 1.8.28, 11.6 before 11.6-cert12, and 13.1 before 13.1-cert3, when the timert1 sip.conf configuration is set to a value greater than 1245, allows remote attackers to cause a denial of service (file descriptor consumption) via vectors related to large retransmit timeout values.

Do I need to act?

~
1.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10 Medium
NETWORK / HIGH complexity

Affected Products (20)

Affected Vendors

Digium Fedoraproject

References (12)

Exploit http://downloads.asterisk.org/pub/security/AST-2016-002.html
Third Party Advisory http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177409.h...
Third Party Advisory http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177422.h...
http://www.debian.org/security/2016/dsa-3700
Third Party Advisory http://www.securityfocus.com/bid/82651
Third Party Advisory http://www.securitytracker.com/id/1034930
Exploit http://downloads.asterisk.org/pub/security/AST-2016-002.html
Third Party Advisory http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177409.h...
Third Party Advisory http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177422.h...
http://www.debian.org/security/2016/dsa-3700
Third Party Advisory http://www.securityfocus.com/bid/82651
Third Party Advisory http://www.securitytracker.com/id/1034930
54
/ 100
high-risk
Severity 18/34 · Moderate
Exploitability 3/34 · Minimal
Exposure 33/34 · Critical