ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


IT Jobs

VoIP Toolkit

Asterisk VoIP flaw patched

Tom Espiner ZDNet.co.uk

Published: 18 Jul 2006 17:45 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Asterisk, the open source Voice over Internet Protocol (VoIP) project, released patches for a security hole in its virtual private branch exchange (PBX) software over the weekend.

The hole exists in IAX2, the protocol that underpins the Asterisk service. If exploited, it could lead to denial-of-service attacks on businesses that use the Asterisk PBX for their IP telephony services.

"The vulnerability affects all users with IAX2 clients that might be compromised or used by a malicious user, and can lead to denial-of-service attacks and random Asterisk server crashes via a relatively trivial exploit," said the project in a statement.

Asterisk is open source, freely available software that offers organisations all the features of a typical telephony PBX.

Asterisk PBX users have been advised to upgrade to the latest version of Asterisk, 1.2.10, which includes the capability to limit the maximum number of simultaneous unauthenticated calls that can be placed by a single user.

"The Asterisk release contains a new option to help avoid a potential denial-of-service vulnerability in the IAX2 channel driver," confirmed Asterisk in a statement.

Vulnerability researchers at Internet Security Systems (ISS), a security vendor, first discovered the vulnerability earlier this year, and worked with Asterisk to develop a patch.

The vulnerability is apparent if an attacker floods the phone service with call requests, thereby preventing the phone service from handling new telephone calls.

The vulnerability also allows an attacker to use an account without a password on one Asterisk PBX network to flood another network with large amounts of traffic.

The volume of traffic can saturate the victim's Internet connection and cause complete denial of Internet service to the victim. Additionally, those being used to perpetrate the attack may experience reduced quality of service.

Vulnerability researchers advised businesses using older versions of Asterisk to upgrade as soon as possible.

"An attack would cripple an organisations' ability to do business," said Alain Sergile, technical product manager for X-Force, the vulnerability research division of ISS.

"You could stop all calls to and from that business. If a call centre was affected, you could inhibit the business' making money from processing orders," Sergile added.

  • Email
  • Trackback
  • Clip Link
  • Print friendly Print with Dell

Did you find this article useful?
123 out of 253 people found this useful


Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In VoIP


Company/Topic Alerts

Create a new alert from the list below:




Related Jobs

SAP BASIS CONSULTANT - Support/Upgrade - NorthWest

The role being offered will involve delivery of support to upgrade projects of systems from R/3 4.5b to ECC 6.0 including building test systems and ...

CCVP CCVP CCVP CCVP CCVP Cisco IP Telephony (IPT) Network Consultant

A major Cisco Gold partner now seek a Senior IP Telephony (IPT) Network Consultant. Our client is one of the largest Call Manager and Unity ...

URGENT Project Manager required- NHS iPM PAS upgrade

You will be implementing the LE2.2 iPM PAS upgrade and so you should have experience of implementing the iPM PAS as part of the national Project ...

Featured White Papers

See All White Papers