Update for Asterisk Telephony Software Eliminates DoS Vulnerability
A vulnerability in Asterisk telecommunications software has allowed attackers to paralyze its telephony functionality. Asterisk is used both in dedicated servers and embedded devices for Internet telephony. Based on reports by the X-Force team at software publishers Internet Security Systems, it is possible to paralyze the software through a flood of call requests. This overwhelms the software and prevents it from answering further queries, which in turn prevents other users from establishing new telephone connections. The problem can be traced back to a programming error in the implementation of the Inter-Asterisk eXchange Protocol (IAX).
The attacker must have a valid user name for the attack to be successful, but the correct password is not required. Version 1.2.9 is affected, although the error is probably also in earlier versions as well. The problem can be remedied by updating to version 1.2.10 and setting the maxauthreq option to a reasonable value, so as to limit the number of unauthenticated connection requests.