ISS discovers two Asterisk vulnerabilities

Internet Security Systems, Inc., announced that its X-Force research and development team has discovered two vulnerabilities in the Inter-Asterisk eXchange protocol version 2 (IAX2). The vulnerabilities, if exploited, could lead to complete denial of office telephone or Internet services in environments where Asterisk private branch exchange (PBX) is in use.

Asterisk is an open source, freely available application that allows organisations to access all of the features of a typical telephony PBX, including voicemail services, call conferencing, interactive voice response, call queuing, three-way calling and caller ID services.

ISS X-Force has discovered a denial of service vulnerability in the IAX2, which is used by Asterisk PBX to exchange Voice over Internet Protocol (VoIP) and call content. The vulnerability is apparent if an attacker floods the phone service with call requests, thereby preventing the phone service from handling new telephone calls.

ISS X-Force discovered a second vulnerability that allows an attacker to leverage accounts without passwords on an Asterisk PBX network to flood another network with large amounts of traffic. The volume of traffic can saturate the victim’s Internet connection and cause complete denial of Internet service to the victim. Additionally, victims of the attack may experience reduced quality of service.

Asterisk has already released a patch to address the denial of service vulnerability. Asterisk users are urged to upgrade as soon as they can practically do so, or ensure that they do not expose IAX2 services to the public if it is not necessary. Asterisk users are strongly advised to ensure that no accounts are configured without passwords. For more details visit www.asterisk.org.

The ISS X-Force advisory on this vulnerability can be found at: and .