[asterisk-users] Two security holes fixed in latest versions of Asterisk

Matt Riddell (NZ) matt.riddell at sineapps.com
Mon Jul 17 15:13:58 MST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

From: http://www.sineapps.com/news.php?rssid=1377

ISS Xforce has published details of two security issues in Asterisk 1.x
which were fixed in the recently release 1.2.10 version.

Asterisk IAX2 Protocol Denial of Service Attack

Summary:

ISS X-Force has discovered a denial of service vulnerability in the
Inter-Asterisk eXchange protocol version 2 (IAX2). IAX2 is used by
Asterisk PBX software to exchange Voice over IP call setup and call
content. If an attacker floods the PBX with call requests, the PBX will
be unable to handle new telephone calls.

IAX2 Protocol Denial of Service Amplification Attack

Summary:

ISS X-Force has discovered a traffic amplification vulnerability in the
Inter-Asterisk eXchange protocol version 2 (IAX2). IAX2 is used by
Asterisk PBX software to exchange Voice over IP call setup and call
content. An attacker can leverage accounts without passwords on an
Asterisk PBX to flood a third party with a large amount of UDP packets.
If the attack is properly constructed the amount of traffic generated
can saturate the victim's Internet connection. Networks do not have to
use Asterisk PBX to be the victim of this kind of traffic flood.

- --
Cheers,

Matt Riddell
_______________________________________________

http://www.sineapps.com/news.php (Daily Asterisk News - html)
http://freevoip.gedameurope.com (Free Asterisk Voip Community)
http://www.sineapps.com/rssfeed.php (Daily Asterisk News - rss)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEvAumS6d5vy0jeVcRAgO1AJ92+xi4BzBfGC7hQlAxVSOxJPFWPgCfcapd
yfsmGcmGZE0LqinUJ5w16ls=
=3lgI
-----END PGP SIGNATURE-----



More information about the asterisk-users mailing list