Matt Riddell (NZ)
2006-Jul-17 15:13 UTC
[asterisk-users] Two security holes fixed in latest versions of Asterisk
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 From: http://www.sineapps.com/news.php?rssid=1377 ISS Xforce has published details of two security issues in Asterisk 1.x which were fixed in the recently release 1.2.10 version. Asterisk IAX2 Protocol Denial of Service Attack Summary: ISS X-Force has discovered a denial of service vulnerability in the Inter-Asterisk eXchange protocol version 2 (IAX2). IAX2 is used by Asterisk PBX software to exchange Voice over IP call setup and call content. If an attacker floods the PBX with call requests, the PBX will be unable to handle new telephone calls. IAX2 Protocol Denial of Service Amplification Attack Summary: ISS X-Force has discovered a traffic amplification vulnerability in the Inter-Asterisk eXchange protocol version 2 (IAX2). IAX2 is used by Asterisk PBX software to exchange Voice over IP call setup and call content. An attacker can leverage accounts without passwords on an Asterisk PBX to flood a third party with a large amount of UDP packets. If the attack is properly constructed the amount of traffic generated can saturate the victim's Internet connection. Networks do not have to use Asterisk PBX to be the victim of this kind of traffic flood. - -- Cheers, Matt Riddell _______________________________________________ http://www.sineapps.com/news.php (Daily Asterisk News - html) http://freevoip.gedameurope.com (Free Asterisk Voip Community) http://www.sineapps.com/rssfeed.php (Daily Asterisk News - rss) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEvAumS6d5vy0jeVcRAgO1AJ92+xi4BzBfGC7hQlAxVSOxJPFWPgCfcapd yfsmGcmGZE0LqinUJ5w16ls=3lgI -----END PGP SIGNATURE-----
Tzafrir Cohen
2006-Jul-18 09:24 UTC
[asterisk-users] Two security holes fixed in latest versions of Asterisk
On Tue, Jul 18, 2006 at 10:13:58AM +1200, Matt Riddell (NZ) wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > From: http://www.sineapps.com/news.php?rssid=1377 > > ISS Xforce has published details of two security issues in Asterisk 1.x > which were fixed in the recently release 1.2.10 version. > > Asterisk IAX2 Protocol Denial of Service Attack > > Summary: > > ISS X-Force has discovered a denial of service vulnerability in the > Inter-Asterisk eXchange protocol version 2 (IAX2). IAX2 is used by > Asterisk PBX software to exchange Voice over IP call setup and call > content. If an attacker floods the PBX with call requests, the PBX will > be unable to handle new telephone calls. > > IAX2 Protocol Denial of Service Amplification Attack > > Summary: > > ISS X-Force has discovered a traffic amplification vulnerability in the > Inter-Asterisk eXchange protocol version 2 (IAX2). IAX2 is used by > Asterisk PBX software to exchange Voice over IP call setup and call > content. An attacker can leverage accounts without passwords on an > Asterisk PBX to flood a third party with a large amount of UDP packets. > If the attack is properly constructed the amount of traffic generated > can saturate the victim's Internet connection. Networks do not have to > use Asterisk PBX to be the victim of this kind of traffic flood.If you wish to find more information and follow the links to ISS Xforce's site, you'll actually get irrelevant and misleading information. I remember the issue of amplification raised in the dev list a number of monthes ago regarding both SIP and IAX2. It is still not clear from those texts what version 1.2.10 has actually fixed here. Where can I find more details? -- Tzafrir Cohen sip:tzafrir@local.xorcom.com icq#16849755 iax:tzafrir@local.xorcom.com +972-50-7952406 jabber:tzafrir@jabber.org tzafrir.cohen@xorcom.com http://www.xorcom.com