Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Big Security Flaws Found In Asterix PBX, IAX VoIP Client

Open source IP PBX application Asterisk PBX and the open source IAX VoIP client contain serious security vulnerabilities that could allow hackers to assault VoIP networks with denial-of-service (DoS) attacks, says Core Security Technologies, a security company that discovered the threat.

Core Security says that the vulnerability could allow hackers to create buffer overflows in VoIP networks, which could then be used to launch DoS attacks. The open-source Asterisk group and Digium, which distributes Asterisk, have released patches for the vulnerability.

Asterisk PBX is used by small businesses who want to avoid the expense of having to pay for commercial IP PBX software, although it also forms the core of enterprise-level and service provider VoIP offerings, including Aspect Software's contact center application and SIPphone's Gizmo Project. The IAX VoIP client is used for several IP software phones.

Both applications fail to check for malformed UDP packets, says Core Security researchers, and attackers can exploit this vulnerability by sending a flood of too-short packets to create a buffer overflow.

Ivan Arce, CTO at Core Security, told Dark Reading that the vulnerabilities are easy to exploit, and that they could lead to "random Asterisk server crashes via a relatively trivial exploit."

  • 1