Big Security Flaws Found In Asterix PBX, IAX VoIP Client

Open source IP PBX application Asterisk PBX and the open source IAX VoIP client contain serious security vulnerabilities that could allow hackers to assault VoIP networks with denial-of-service (DoS) attacks, says Core Security Technologies, a security company that discovered the threat.

Core Security says that the vulnerability could allow hackers to create buffer overflows in VoIP networks, which could then be used to launch DoS attacks. The open-source Asterisk group and Digium, which distributes Asterisk, have released patches for the vulnerability.

Asterisk PBX is used by small businesses who want to avoid the expense of having to pay for commercial IP PBX software, although it also forms the core of enterprise-level and service provider VoIP offerings, including Aspect Software's contact center application and SIPphone's Gizmo Project. The IAX VoIP client is used for several IP software phones.

Both applications fail to check for malformed UDP packets, says Core Security researchers, and attackers can exploit this vulnerability by sending a flood of too-short packets to create a buffer overflow.

Ivan Arce, CTO at Core Security, told Dark Reading that the vulnerabilities are easy to exploit, and that they could lead to "random Asterisk server crashes via a relatively trivial exploit.""I expect we'll see a lot more vulnerabilities like this in VOIP before we're through," he added. "VOIP is no different from any other IP traffic, and it is still relatively new. There will be a lot of bugs to work out."