In association with heise online

22 March 2007, 16:01

Two holes in Asterisk telephone system software closed

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Two holes have been closed in Asterisk telephone system software; attackers were able to exploit these vulnerabilities to cause a system to crash. The first flaw occurred in the handling of SIP-INVITE packets with specially prepared headers that contained one valid and one invalid IP address in the Session Description Protocol (SDP). As an SIP-INVITE packet is the first to be sent when an SIP connection is set up, a single UDP packet is all it takes to bring down an SIP telephone or an entire system. This flaw has also been remedied in version 1.2.17.

The second type of crash occurs when answers are received from other systems if the SIP response code in the packet is set to 0. This flaw does not affect version 1.2.x. The developers advise users that operate an Asterisk system in a public, untrusted network to upgrade quickly. In addition, the developers have improved support for Shared Line Appearance (SLA).

Just two weeks ago, the developers of Asterisk had to release an update to close a DoS hole when flawed REGISTER packets tripped up the software.

For more information, see:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit