Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Several new Asterisk vulnerabilities were recently announced.

Published: 2008-03-21
Last Updated: 2008-03-21 18:23:17 UTC
by donald smith (Version: 1)
0 comment(s)

The Astrerisk.org team has released new versions of code to address the following four vulnerabilities.
From: http://www.asterisk.org/node/48466 
“AST-2008-002 details two buffer overflows that were discovered in RTP codec payload type handling.
http://downloads.digium.com/pub/security/AST-2008-002.pdf
All users of SIP in Asterisk 1.4 and 1.6 are affected.
AST-2008-003 details a vulnerability which allows an attacker to bypass SIP authentication and to make a call into the context specified in the general section of sip.conf.
http://downloads.digium.com/pub/security/AST-2008-003.pdf
All users of SIP in Asterisk 1.0, 1.2, 1.4, or 1.6 are affected.
AST-2008-004 details some format string vulnerabilities that were found in the code handling the Asterisk logger and the Asterisk manager interface.
http://downloads.digium.com/pub/security/AST-2008-004.pdf
All users of Asterisk 1.6 are affected. “

Exploitation of these types of vulnerabilities has been used in the past to gain access to asterisk servers to set up automated systems for vishing attacks.

Vishing is a term used for voice based phishing.  http://en.wikipedia.org/wiki/Vishing

If you get a message, email or phone call that asks you to call a number you do not recognize check the bill for that service or the back of your credit card and call THAT number not the number that was included in the message.

Never give out personal information unless you have verified the data receiver.

Keywords:
0 comment(s)
Diary Archives