Digium patches holes in Asterisk telephony software
New versions of the Asterisk telephony software resolve two SQL injection vulnerabilities which allow attackers to access an underlying Postgresql database. According to the developers' security advisory, attackers could retrieve other users' user names and passwords required for authentication purposes. The vulnerabilities are caused by insufficient filtering of some of the parameters received in packets or processed elsewhere, for example phone numbers transmitted via the Dialed Number Identification Service (DNIS). By providing specially crafted DNIS strings to the Call Detail Record log of the database, attackers could inject and execute arbitrary database commands.
According to the advisory, however, the affected res_config_pgsql and cdr_pgsql modules are not active by default. All versions of Asterisk Open Source 1.0.x, 1.2.x, 1.4.x, Asterisk Business Edition A.x.x, B.x.x and C.x.x, AsteriskNOW and s800i (Asterisk Appliance) 1.0.x are affected. As a workaround, developers suggest using PgsqlODBC drivers instead of Asterisk drivers. The flaws have been corrected in Asterisk Open Source 1.2.25, 1.4.15 and in Asterisk Business Edition B.2.3.4 and C.1.0-beta6.
- SQL Injection issue in cdr_pgsql, Asterisk advisory
- SQL Injection issue in res_config_pgsql, Asterisk advisory