Protection for Two Asterisk Vulnerabilities

Internet Security Systems, Inc., the worldwide leader in preemptive, enterprise security, announced that its X-Force research and development team has discovered and provided protection for ISS customers from two vulnerabilities in the Inter-Asterisk eXchange protocol version 2 (IAX2). The vulnerabilities, if exploited, could lead to complete denial of office telephone or Internet services in environments where Asterisk private branch exchange (PBX) is in use.

Asterisk is an open source, freely available application that allows organizations to access all of the features of a typical telephony PBX, including voicemail services, call conferencing, interactive voice response, call queuing, three-way calling and caller ID services.

"Users of Voice over Internet Protocol (VoIP) systems must be mindful not only of denial-of-service vulnerabilities in their VoIP PBX implementations, such as the vulnerability discovered in Asterisk, but underlying VoIP protocol weaknesses that may leave organizations open to vishing, a new security threat which uses VoIP to steal user information, and spam over the VoIP network," said Chris Rouland, chief technology officer of Internet Security Systems. "By leveraging preemptive protection from Internet Security Systems, organizations can avoid the potential loss of productivity and the business ramifications caused by these VoIP flaws as well as the underlying operating systems vulnerabilities that VoIP platforms run on."

ISS X-Force has discovered a denial of service vulnerability in the IAX2, which is used by Asterisk PBX to exchange Voice over Internet Protocol (VoIP) and call content. The vulnerability is apparent if an attacker floods the phone service with call requests, thereby preventing the phone service from handling new telephone calls.

ISS X-Force discovered a second vulnerability that allows an attacker to leverage accounts without passwords on an Asterisk PBX network to flood another network with large amounts of traffic. The volume of traffic can saturate the victim's Internet connection and cause complete denial of Internet service to the victim. Additionally, victims of the attack may experience reduced quality of service.

Asterisk has already released a patch to address the denial of service vulnerability. Asterisk users are urged to upgrade as soon as they can practically do so, or ensure that they do not expose IAX2 services to the public if it is not necessary. Asterisk users are strongly advised to ensure that no accounts are configured without passwords. For more details visit www.asterisk.org.

ISS has provided customers with preemptive protection for these flaws through its Proventia security platform. ISS' preemptive technology is based on the research and discoveries of its X-Force research and development team. By protecting against vulnerabilities rather than known exploits, ISS' Virtual Patch technology keeps organizations ahead of Internet threats until they are able to obtain, test and apply patches from affected vendors.

The ISS X-Force advisory on this vulnerability can be found at: http://xforce.iss.net/xforce/alerts/id/228k and http://xforce.iss.net/xforce/alerts/id/229.

Posted on Jul 17, 2006  Reviews | Share |  Digg
Filed in:
All comments require the approval of the site owner before being displayed.

Post a Comment

Please use a valid e-mail address. Your address will not be publicly visible and is only a means for us to contact you when asked. Thank you.

Name
E-mail
(will show your gravatar icon)
Home page

Comment (Some html is allowed: )  

Enter the code shown (prevents robots):




  All brand, company, and product names are trademarks or registered trademarks of their
  respective owners. © 2012 VoIP Monitor. All rights reserved. Privacy Policy  Terms