Asterisk Vulnerability Discovered
Source: asteriskblog.com
Here is something for all Asterisk users out there. Though we may all be very enthusiastic about Asterisk and the service it provides, we have to be practical and keep our eyes open for vulnerabilities. Even the people over at Digium do not act like ostriches and keep their head buried in the sand – I guess most other service providers act the same way. They are always on the look out for weaknesses that other unscrupulous individuals may take advantage of.
Recently, Joel R. Voss aka. Javantea reported a vulnerability in Asterisk systems that may result in denial of service. Many other sites and blogs have subsequently spread the word about the possible problems that may arise from the vulnerability. People over at Digium themselves have released an advisory about the issue. They have also released work arounds that could help solve the issue and avoid potential problems that may arise from it.
Below is the description of the vulnerability as well as other important details that you may need to resolve the issue. This was taken from Secunia:
Description:
A vulnerability has been reported in Asterisk, which can be exploited by malicious people to cause a DoS (Denial of Service).The vulnerability is caused due to improper verification of ACK responses during IAX2 handshakes, which can be exploited to spoof an IAX2 handshake and cause a DoS via high bandwidth usage.
The vulnerability is reported in the following versions:
* Asterisk Open Source 1.0.x (all versions)
* Asterisk Open Source 1.2.x (all versions prior to 1.2.28)
* Asterisk Open Source 1.4.x (all versions prior to 1.4.19.1)
* Asterisk Business Edition A.x.x (all versions)
* Asterisk Business Edition B.x.x (all versions prior to B.2.5.2)
* Asterisk Business Edition C.x.x (all versions prior to C.1.8.1)
* AsteriskNOW 1.0.x (all versions prior to 1.0.3)
* Asterisk Appliance Developer Kit 0.x.x (all versions)
* s800i (Asterisk Appliance) 1.0.x (all versions prior to 1.1.0.3)Solution:
Asterisk Open Source 1.2.x:
Fixed in 1.2.28.Asterisk Open Source 1.4.x:
Fixed in 1.4.19.1.Asterisk Business Edition B.x.x:
Fixed in B.2.5.2Asterisk Business Edition C.x.x:
Fixed in C.1.8.1.AsteriskNOW:
Fixed in 1.0.3.s800i (Asterisk Appliance):
Fixed in 1.1.0.3.Provided and/or discovered by:
Joel R. Voss a.k.a. JavanteaOriginal Advisory:
Asterisk:
http://downloads.digium.com/pub/security/AST-2008-006.htmlAltSci:
https://www.altsci.com/concepts/page.php?s=asteri&p=2
Here’s to hoping that you will be able to take care of the vulnerability before anything adverse happens!
