In association with heise online

08 January 2013, 22:40

Critical vulnerabilities in Asterisk

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Asterisk logo Digium has fixed several critical vulnerabilities which could be exploited by an attacker to inject code onto the server into its open source telephone system application Asterisk. The vulnerabilities are buffer overflows on the stack which can be exploited using the HTTP, SIP and XMPP protocols. Only the XMPP vulnerability requires an active session.

The vulnerabilities rely on the fact that the Asterisk Management Interface (AMI) reserves a space on the stack, the size of which can be specified by the attacker. If the reserved space does not fit on the stack, an overflow occurs. Brandon Edwards, one of the team which discovered the vulnerabilities, has posted a detailed description on his blog.

Open source versions 1.8.x, 10.x and 11.x, Certified Asterisk 1.8.11 (intended for commercial use) and Digium VoIP phones containing firmware version 10.x are all vulnerable. The fixed versions are versions, 10.11.1, 11.1.2, Certified Asterisk 1.8.11-cert10, and version 10.11.1 for Digium phones.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit