DoS Vulnerability in Asterisk

Jan 04, 2008

The makers of Asterisk, the Open Source phone system, have removed a bug that allowed denial of service attacks under certain circumstances.

The vulnerability affected the SIP channel driver, more specifically the "BYE with Also" transfer method. A faulty null-pointer dereference could be exploited to crash the application using a carefully crafted BYE message. The attack needed an existing connection.

All 1.4.x versions of Asterisk Open Source, all C.x.x versions of the Business Edition, the pre-release versions of AsteriskNOW, the Asterisk Appliance Developer Kit prior to version 1.4 revision 95946 and the Asterisk Appliance s800i up to version 1.0.3.4 are all affected by the bug.

Updates are available from the website for the Open Source applications. Updates for commercial versions will be provided via standard support channels.

Related content

  • AsteriskNOW 1.5 Based on CentOS

    AsteriskNOW, a Linux distro for telephony setups that includes GPL-licensed Asterisk, is now available in version 1.5.

  • Skype Plugin for Asterisk

    Digium, makers of Asterisk telephony solutions, and VoIP provider Skype have announced a one-year development period for a Skype plugin to the free telephony service.

  • Askerisk

    If you want advanced features without the expense, try a VoIP phone system. We’ll show you how to configure your own Asterisk telephone exchange server.

  • Vulnerabilities in OpenSSL

    Three security issues have been identified in the Open Source implementation of the SSL/TLS protocol, OpenSSL. The vulnerabilities allow targeted attacks.

  • Vulnerability in GNU "tar"

    Linux distributor Red Hat has discovered a vulnerability in the GNU "tar" program that could allow attackers to overwrite files.

comments powered by Disqus