In association with heise online

30 November 2007, 15:21

Digium patches holes in Asterisk telephony software

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

New versions of the Asterisk telephony software resolve two SQL injection vulnerabilities which allow attackers to access an underlying Postgresql database. According to the developers' security advisory, attackers could retrieve other users' user names and passwords required for authentication purposes. The vulnerabilities are caused by insufficient filtering of some of the parameters received in packets or processed elsewhere, for example phone numbers transmitted via the Dialed Number Identification Service (DNIS). By providing specially crafted DNIS strings to the Call Detail Record log of the database, attackers could inject and execute arbitrary database commands.

According to the advisory, however, the affected res_config_pgsql and cdr_pgsql modules are not active by default. All versions of Asterisk Open Source 1.0.x, 1.2.x, 1.4.x, Asterisk Business Edition A.x.x, B.x.x and C.x.x, AsteriskNOW and s800i (Asterisk Appliance) 1.0.x are affected. As a workaround, developers suggest using PgsqlODBC drivers instead of Asterisk drivers. The flaws have been corrected in Asterisk Open Source 1.2.25, 1.4.15 and in Asterisk Business Edition B.2.3.4 and C.1.0-beta6.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit