Asterisk Security Vulnerability in SIP Channel Driver

On December 26th, Grey VoIP reported a security hole in Asterisk - an Asterisk SIP Channel Driver BYE Message Denial of Service (DoS) vulnerability. The vulnerability could allow a remote user to send a specially crafted BYE message using the 'BYE with Also' transfer method to trigger a NULL pointer error cause the target service to crash. In just a week, Digium, the founders of the open source Asterisk platform, released an update to fix the problem.

Every IP-PBX will have its share of bugs and security holes, I get Cisco advisories all the time, so I wasn't too concerned when I heard about this security vulnerability in Asterisk. But what amazes me is the fast turnaround to fix it - and over the major holidays no less!

Kudos to the Digium team and/or the open source community which were quick to react to this security issue! I'd be curious if it was the open source community that issued the patch or Digium. I'll fire off an email to Mark Spencer and see if he can give some insights.

Update (10:16am): Mark Spencer got back to me in 5 minutes. Here's his response
"The issue was reported as simply a bug on the issue tracker, but Digium's development team recognized this was a security vulnerability and provided the fix, as well as testing each branch of Asterisk and backporting the fix to all versions of Asterisk that were affected (all 1.4 based). Thanks for your interest!"

Even though the open source community helps in the development of Asterisk, this certainly goes to show the importance of Digium and their hired programmers to update Asterisk. Again, kudos to the Digium team in fixing this so quickly.


Post a comment

• VoIP » Asterisk » Asterisk Security Vulnerability in SIP Channel Driver
• Linux » Asterisk Security Vulnerability in SIP Channel Driver
• VoIP » Asterisk Security Vulnerability in SIP Channel Driver

Related Entries
• Podcast Interview with Digium CEO Danny Windham - Apr 17, 2008
• Hulk Smash Asterisk 1.6! - Apr 16, 2008
• PIKA T1/E1 and analog boards now compatible with FreeSWITCH - Apr 15, 2008
• trixbox 2.0 launches - Apr 15, 2008
• ISPBX Launches Asterisk appliances with CogoBlue Asterisk GUI - Apr 10, 2008
• PhoneFromHere.com & Digium Ink 5 Year Deal - Apr 09, 2008
• Snom VoIP vulnerability resolved - Mar 31, 2008
• Asterisk USB Hub - Mar 31, 2008
• Mexuar Brings Java Click-to-Call to Asterisk - Mar 19, 2008
• More on the Aastra AastraLink Pro 160 appliance - Mar 18, 2008

TechnoratiDel.icio.usSlashdotDigg

Tags: Asterisk, security, VoIP, vulnerability

Search Technorati: Asterisk, security, VoIP, vulnerability
Related Tags: security vulnerability, source community, asterisk, Asterisk, Digium, security

Listed below are links to sites that reference Asterisk Security Vulnerability in SIP Channel Driver:

Trackback Pings

TrackBack URL:
http://blog.tmcnet.com/mt3/t.fcgi/34486

Comments to Asterisk Security Vulnerability in SIP Channel Driver

1. 
   rick :
   January 3, 2008 11:50 AM

   Not bad for free!

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Name:

Email Address:

URL:

Remember info? Notify me of new comments?

Comments: (you may use HTML tags for style)