In association with heise online

08 August 2007, 13:20

DoS vulnerability in Asterisk telephone system software fixed

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The developers of Asterisk telephone system software have released an update intended to fix a denial of service vulnerability which causes the Skinny channel driver (chan_skinny) to crash when it receives crafted "CAPABILITIES_RES_MESSAGE" packets. Attackers must be authenticated to carry out the attack. The Skinny Client Control Protocol (SCCP) is a proprietary Cisco standard for telephony and conferencing over IP based networks.

Asterisk versions 1.4.x to 1.4.9, AsteriskNow prior to version beta 7, Asterisk Appliance prior to version 1.0.3 and the Asterisk Appliance Developer Kit prior to 0.7.0 are all affected. In addition, version 1.2.24, which is free of the bug described, has also been released. This release includes fixes for non-security related bugs. Branch 1.2 will, however, with immediate effect be updated with security fixes only. No further development will be carried out on this branch.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit