Category: VoIP Vulnerabilities

7 Asterisk VoIP Security Advisories Issued

Asterisk logoThe Digium / Asterisk Security Team has obviously been extremely busy ensuring that Asterisk is as secure as possible given that yesterday they released 7 security advisories, although only one of them (AST2014-16) was rated as “Critical”.  The others are rated as “Moderate” or “Minor” – but still are good reasons to upgrade to the latest versions of Asterisk.  The list of advisories is:

The issues are all fixed in the latest versions of Asterisk:

  • Asterisk Open Source 1.8.32.1, 11.14.1, 12.7.1, 13.0.1
  • Certified Asterisk 1.8.28-cert3, 11.6-cert8

Kudos to the Digium/Asterisk Security Team for the work they do in keeping Asterisk secure – and also for their openness in reporting the issues publicly!

Asterisk Remote Crash Vulnerability in SIP Channel Driver

Asterisk

The folks over at the Digium security team today released security bulletin AST-2011-012 for a remote crash vulnerability in the SIP channel drive. For info about the attack, they state only:

A remote authenticated user can cause a crash with a malformed request due to an uninitialized variable.

An assumption from this statement would be that an UNauthenticated user could not carry out this attack… but I admit to not personally knowing the SIP channel driver of Asterisk enough to be able to stand behind this conclusion.

Regardless, updates have been released in the form of new versions 1.8.7.1 and 10.0.0-rc1.