Check Up On Your Asterisk Telephony Software

Which computer telephony application are you using for voice mailing, conference calling, automatic call distribution, interactive voice response, call queuing and other features? A large choice of telephony-based software products or services are available to users. If you prefer and use Asterisk, a software implementation of a telephone private branch exchange (PBX), you should be very cautious. Some vulnerabilities have been discovered in the program. Malicious users can exploit them in order to cause a denial of service condition.

Similarly to any PBX, Asterisk enables attached telephones to make calls to one another, and to connect to other telephone services covering the public switched telephone network (PSTN) and Voice over Internet Protocol (VoIP) services. Basically created for Linux, Asterisk now also runs on a line of different operating systems including NetBSD, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows 2000/XP/2003/Vista. A port to Microsoft Windows is known as AsteriskWin32. Some of the files related to Windows XP include: 2000RKST.MSI, 8514a.dll, 3cwmcru.sys, 61883.pdb.sys, and 4mmdat.pdb.sys.

Users should note that according to the vendor, the vulnerabilities are only exploitable in version 1.6.1 and above. The vulnerabilities were identified and confirmed in the following products and versions:

Table 1.  Affected products

What are the main causes for these vulnerabilities? The vulnerabilities are produced because of 'scanf()' being initiated without indicating a maximum width, for example, while handling SIP messages.

If you are a user of Asterisk, you might be curious as to whether a solution was created to fix these particular vulnerabilities. It is gratifying to report good news to all the Asterisk users. The vendor has released a patch to fix these vulnerabilities! Users, whose vulnerable computer systems were affected by the Asterisk denial of service vulnerabilities, are recommended to apply the relevant patches and upgrade their installations. For Asterisk Open Source, users should update to version 1.2.34, 1.4.26.1, 1.6.0.12, or 1.6.1.4. Users of Asterisk Business Edition should update to version B.2.5.9, C.2.4.1, or C.3.1. Lastly, users of s800i (Asterisk Appliance) are advised to update to version 1.3.0.3.