CVE-2023-49786: 
NixOS vulnerability analysis and mitigation

Asterisk, an open source private branch exchange and telephony toolkit, was found vulnerable to a Denial of Service condition (CVE-2023-49786) discovered in September 2023. The vulnerability affects versions prior to 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6. The issue was reported on September 27, 2023, and fixed versions were released on December 14, 2023 (Enable Security Advisory, Vendor Advisory).

The vulnerability stems from a race condition in the hello handshake phase of the DTLS protocol when handling DTLS-SRTP for media setup. The issue occurs when an attacker sends a ClientHello DTLS message with an invalid CipherSuite (such as TLS_NULL_WITH_NULL_NULL) to the port on the Asterisk server that is expecting packets from the caller. This triggers a DTLS error, resulting in the media session being torn down, followed by teardown at the signaling (SIP) level. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (Vendor Advisory).

The exploitation of this vulnerability can lead to a massive Denial of Service on vulnerable Asterisk servers specifically for calls that rely on DTLS-SRTP. During an attack, the attacker can continuously spray DTLS ClientHello messages, targeting the range of UDP ports allocated for RTP, effectively preventing new DTLS-SRTP encrypted calls from being established (Enable Security Advisory).

The recommended mitigation is to upgrade Asterisk to the fixed versions: 18.20.1, 20.5.1, 21.0.1, or 18.9-cert6. The implemented fix drops all packets from addresses that have not been validated by an ICE check, preventing the race condition exploitation (Asterisk Commit).