Asterisk Security Vulnerability in SIP Channel Driver

January 3, 2008
Digium securityOn December 26th, Grey VoIP reported a security hole in Asterisk - an Asterisk SIP Channel Driver BYE Message Denial of Service (DoS) vulnerability. The vulnerability could allow a remote user to send a specially crafted BYE message using the 'BYE with Also' transfer method to trigger a NULL pointer error cause the target service to crash. In just a week, Digium, the founders of the open source Asterisk platform, released an update to fix the problem.

Every IP-PBX will have its share of bugs and security holes, I get Cisco advisories all the time, so I wasn't too concerned when I heard about this security vulnerability in Asterisk. But what amazes me is the fast turnaround to fix it - and over the major holidays no less!

Kudos to the Digium team and/or the open source community which were quick to react to this security issue! I'd be curious if it was the open source community that issued the patch or Digium. I'll fire off an email to Mark Spencer and see if he can give some insights.

Update (10:16am): Mark Spencer got back to me in 5 minutes. Here's his response
"The issue was reported as simply a bug on the issue tracker, but Digium's development team recognized this was a security vulnerability and provided the fix, as well as testing each branch of Asterisk and backporting the fix to all versions of Asterisk that were affected (all 1.4 based). Thanks for your interest!"

Even though the open source community helps in the development of Asterisk, this certainly goes to show the importance of Digium and their hired programmers to update Asterisk. Again, kudos to the Digium team in fixing this so quickly.


Post a comment
Tags: , , ,

Search Technorati: , , ,
Related Tags: , , , , ,

Listed below are links to sites that reference Asterisk Security Vulnerability in SIP Channel Driver:

Trackback Pings

TrackBack URL:
http://blog.tmcnet.com/mt3/t.fcgi/34486

Comments to Asterisk Security Vulnerability in SIP Channel Driver


  1. rick :

    Not bad for free!


(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)