Critical vulnerabilities in Asterisk plugged
Vulnerabilities in the Asterisk telephony software could be exploited by attackers to inject and execute code. The development team have released updated versions of the software which fix these and other less critical vulnerabilities.
A buffer overflow can occur when processing Real-time Transport Protocol (RTP) packets if the payload number is greater than 256. Sending more than 32 payloads has a similar effect. This can be exploited by attackers to overwrite memory locations outside of the buffer. The bug affects Asterisk Open Source versions prior to 126.96.36.199, 1.4.19-rc3 and 1.6.0-beta6, Asterisk Business Edition prior to C.1.6.1, AsteriskNOW prior to 1.0.2, the Asterisk Appliance s800i prior to 188.8.131.52 and the Asterisk Appliance Developer Kit, prior to the SVN version 1.4 revision 109386.
Using specific values for the From: field in SIP headers, attackers can make calls without authentication. The calls are sent in the context specified in the general section in the sip.conf configuration file. This bug affects all version of Asterisk.
The new versions also fix two less critical bugs. The software interprets log messages sent using versions of the Asterisk Open Source ast_verbose API prior to 1.6.0-beta6 as formatstrings instead of strings. This can cause the system to crash. In addition, the HTTP-Manager session ID is easily guessable.
Asterisk administrators should download and install the updated version of the software as soon as possible.
- Two buffer overflows in RTP Codec Payload Handling, security advisory from the Asterisk development team
- Unauthenticated calls allowed from SIP channel driver, security advisory from the Asterisk development team
- Format String Vulnerability in Logger and Manager, security advisory from the Asterisk development team
- HTTP Manager ID is predictable, security advisory from the Asterisk development team