The Channel logo

News

By | John Leyden 20th March 2008 15:42

Asterisk mauled by buffer overflow bug

Are IP PBXs the next hacking battleground?

Buffer overflows - the perennial cause of security vulnerabilities in desktop applications - may become a worry for sys admins managing computerised telephone switchboards in the wake of the recent discovery of bugs in a popular IP PBX package.

A trio of vulnerabilties in the Asterisk range of open source IP-PBX software applications pose a severe risk for businesses that use the technology to computerise their switchboards and take advantage of low cost internet telephony calls. The flaws might be used by attackers to bypass security restrictions, crash or otherwise compromise a vulnerable system. Fortunately Asterisk published security updates addressing the bugs on Tuesday.

One of the three flaws involves buffer overflow errors in handling INVITE or SIP (Session Initiation Protocol) packets. The flaw might be used to crash applications or run arbitrary code.

A second, less serious flaw involves an error in the SIP channel driver when handling invalid "From" headers. The bug might be exploited to perform unauthenticated calls.

A third error poses an application crashing risk and stems for a different cause, flaws in functions connected with displaying call logs.

The flaws were discovered by MU Security Research Team.

Security watchers say the vulnerabilities illustrate the need for enterprises to review their IP telephony security arrangements.

"Most companies have installed multi-layered security technology on their computer network, but IP telephony services almost always escape the scrutiny of the IT security systems in place to protect a company's computers and network technology," said Rob Rachwald, director of product marketing at application security specialist Fortify Software.

According to Rachwald, IP-PBX hackers are confining their activities to crashing systems or causing a denial of service attack. However, he added that this may change with the emergence of flaws that could allow hackers to take over control of company PBXs. ®

comment icon Read 12 comments on this article alert Send corrections

Opinion

Trevor Pott

Why aren't you, personally, stopping the moronocalypse?
Star Trek Into Darkness

Chris Mellor

Federation fissiparousness to form co-ordinated divisions
iot_internet_of_things

Chris Mellor

EMC is ahead overall with HDS mounting an IoT catch-up

Features

Lego gandalf by https://www.flickr.com/photos/isherwoodchris/  CC 2.0 https://creativecommons.org/licenses/by-sa/2.0/ attribution sharealike
Why interconnectivity in the cloud is tougher than just stacking bricks
Handing over dollars picture via Shutterstock
Steve Ballmer. Pic:  Aanjhan Ranganathan
Nokia is the biggest write-off yet, but it wasn't the first
Confused computer keyboard
Last Christmas, I gave you my Cloud, the very next day you gave it away