Asterisk VoIP flaw patched

The open source project has fixed a vulnerability in its PBX software with the help of ISS, the company that discovered the hole

Asterisk, the open source Voice over Internet Protocol (VoIP) project, released patches for a security hole in its virtual private branch exchange (PBX) software over the weekend.

The hole exists in IAX2, the protocol that underpins the Asterisk service. If exploited, it could lead to denial-of-service attacks on businesses that use the Asterisk PBX for their IP telephony services.

"The vulnerability affects all users with IAX2 clients that might be compromised or used by a malicious user, and can lead to denial-of-service attacks and random Asterisk server crashes via a relatively trivial exploit," said the project in a statement.

Asterisk is open source, freely available software that offers organisations all the features of a typical telephony PBX.

Asterisk PBX users have been advised to upgrade to the latest version of Asterisk, 1.2.10, which includes the capability to limit the maximum number of simultaneous unauthenticated calls that can be placed by a single user.

"The Asterisk release contains a new option to help avoid a potential denial-of-service vulnerability in the IAX2 channel driver," confirmed Asterisk in a statement.

Vulnerability researchers at Internet Security Systems (ISS), a security vendor, first discovered the vulnerability earlier this year, and worked with Asterisk to develop a patch.

The vulnerability is apparent if an attacker floods the phone service with call requests, thereby preventing the phone service from handling new telephone calls.

The vulnerability also allows an attacker to use an account without a password on one Asterisk PBX network to flood another network with large amounts of traffic.

The volume of traffic can saturate the victim's Internet connection and cause complete denial of Internet service to the victim. Additionally, those being used to perpetrate the attack may experience reduced quality of service.

Vulnerability researchers advised businesses using older versions of Asterisk to upgrade as soon as possible.

"An attack would cripple an organisations' ability to do business," said Alain Sergile, technical product manager for X-Force, the vulnerability research division of ISS.

"You could stop all calls to and from that business. If a call centre was affected, you could inhibit the business' making money from processing orders," Sergile added.