[ISN] Asterisk mauled by buffer overflow bug

From: InfoSec News (alerts@private)
Date: Fri Mar 21 2008 - 00:13:33 PST


http://www.channelregister.co.uk/2008/03/20/ip_pbx_vulns/

By John Leyden 
Channel Register
20 March 2008

Buffer overflows - the perennial cause of security vulnerabilities in 
desktop applications - may become a worry for sys admins managing 
computerised telephone switchboards in the wake of the recent discovery 
of bugs in a popular IP PBX package.

A trio of vulnerabilties in the Asterisk range of open source IP-PBX 
software applications pose a severe risk for businesses that use the 
technology to computerise their switchboards and take advantage of low 
cost internet telephony calls. The flaws might be used by attackers to 
bypass security restrictions, crash or otherwise compromise a vulnerable 
system. Fortunately Asterisk published security updates addressing the 
bugs on Tuesday.

One of the three flaws involves buffer overflow errors in handling 
INVITE or SIP (Session Initiation Protocol) packets. The flaw might be 
used to crash applications or run arbitrary code.

A second, less serious flaw involves an error in the SIP channel driver 
when handling invalid "From" headers. The bug might be exploited to 
perform unauthenticated calls.

A third error poses an application crashing risk and stems for a 
different cause, flaws in functions connected with displaying call logs.

The flaws were discovered by MU Security Research Team.

Security watchers say the vulnerabilities illustrate the need for 
enterprises to review their IP telephony security arrangements.

"Most companies have installed multi-layered security technology on 
their computer network, but IP telephony services almost always escape 
the scrutiny of the IT security systems in place to protect a company's 
computers and network technology," said Rob Rachwald, director of 
product marketing at application security specialist Fortify Software.

According to Rachwald, IP-PBX hackers are confining their activities to 
crashing systems or causing a denial of service attack. However, he 
added that this may change with the emergence of flaws that could allow 
hackers to take over control of company PBXs.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Fri Mar 21 2008 - 00:40:03 PST