MuLabs has posted details of multiple vulnerabilities in Asterisk 1.2.10.
Excerpt:
Vulnerability Details:
A remote stack buffer overflow condition in Asterisk's MGCP implementation could allow for arbitrary code execution. The vulnerable code is triggered with the use of a malformed AUEP (audit endpoint) response message.
A second issue exists in the handling of file names sent to the Record()application which could lead to arbitrary code execution via a format string attack or arbitrary file-overwrite via directory traversal techniques. The impact of this vulnerability is minimal, however, as it requires an administrator to use a client-controlled variable as part of the filename.
Solution:
Mu Security would like to thank the Asterisk security team for their timely response to these issues.
A patch for the buffer overflow is available from the following link:
http://ftp.digium.com/pub/asterisk/asterisk-1.2.11-patch.gz
To protect against the Record() vulnerability, do not use user-controlled variables ( eg, ${CALLERIDNAME} ) as part of the the filename argument.
Update
There is an entry on mantis regarding the above, which has not been committed.
Current Rating: 0/10 (0 votes) Similar Articles (Based on Title)Iaxclient-devel: buzzing ringtones fixed, iaxcomm 1.0rc2 released - February 16, 2005
Michael Van Donselaar has posted details of the latest release of iaxcomm.
Zaptel 1.2.11 released - November 11, 2006
The Asterisk Development Team is pleased to announce the release of version 1.2.11 of Zaptel.
Asterisk 1.2.10 and Zaptel 1.2.7 released - July 15, 2006
The Asterisk Development Team have posted detail of the latest release of Asterisk and Zaptel.
ChanSkype 1.2.10 released - April 18, 2007
The ChanSkype team have posted details of the latest version.
New Script on Voip-Info for Multiple ENUM entries. - October 14, 2004
Rainer has notified us about an agi script on voip-info.org which allows asterisk finally to handle multiple different ENUM entries also with different priorities etc.
*-Dev: multiple registrations of same credentials - October 7, 2006
Bradley has posted details of a patch he has written for SIP forking.
Multiple CDR UserFields in MySQL CDRs - March 30, 2007
I have been using a patch on most of our systems for a while that I wrote to allow us to store userfield2-5 in MySQL. Basically we needed to store extra information.
Openfire Jabber-Server: Multiple Vulnerabilities - November 11, 2008
Andreas Kurtz has posted details of multiple vulnerabilities in the Openfire Jabber server including Authentication Bypass and SQL injection.
Openfire Jabber-Server: Multiple Vulnerabilities - November 11, 2008
Andreas Kurtz has posted details of multiple vulnerabilities in the Openfire Jabber server including Authentication Bypass and SQL injection.
Vulnerabilities in Cisco VOIP - July 17, 2005
Trixter has posted details of the discovery of 5 new security holes in Cisco CM.
CORE-2006-0327: IAXclient truncated frames vulnerabilities - June 13, 2006
Core Security Technologies have posted details of a security hole in IAXclient to Bugtraq.
Original Content (C) 2004-2010
Matt Riddell
Icons by: FastIcon.com
|
Back to life
July 21, 2010 Average Vote: 10
Hey all - I am back online after some pretty big projects which have taken all my time. Will be updating the Asterisk news over the next few days.
Nerd Vittles: Building a Bluetooth Proximity Detection System with Asterisk
December 12, 2005 Average Vote: 10
The Nerd Vittles site has an article on proximity detection using Asterisk and a TomTom GPS
Automated Testing Update
July 30, 2010 Average Vote: 10
Russell Bryant has posted details of a new mailing list for automated testing of Asterisk and some information on the progress that has been made. There is no way to say how important I think this work is. It really makes a huge difference to Asterisk and the ability to use it in an enterprise environment. Really great work.
VoIP-Info: FFasterisk Video file converter
August 25, 2006 Average Vote: 10
The wiki has a link to a new piece of software for converting video to the format required for Asterisk.
Code Review: SRTP support for Asterisk
March 12, 2009 Average Vote: 10
Terry Wilson has moved his SRTP branch onto the Digium review board.
HumBug - Pre BETA Launch Registration
July 27, 2010 Average Vote: 10
Nir Simionovich has posted details of the beta of the new call analytics service.
Interview with BKW_
December 7, 2004 Average Vote: 10
We've finally completed our interview with BKW. Hope you like! :-)
SlashDot: GSM and Asterisk Integration
August 21, 2005 Average Vote: 10
There is a post up on SlashDot which talks about using cellphones with Asterisk.
Interview with Mark Spencer
November 26, 2004 Average Vote: 9.9
We have managed to get an interview with Mark Spencer AKA Markster. Mark Spencer is the creator of Asterisk and by far the most active developer.
Asterisk and Kamailio realtime integration tutorial
May 24, 2010 Average Vote: 9.9
Daniel-Constantin Mierla has posted a link to a tutorial on integrating Asterisk and Kamailio using realtime.
Asterisk IPv6 update
February 1, 2010 Average Vote: 9.8
Olle has posted an update on IPV6 in Asterisk and a link to a blog post of his.
Proposal for T.38 transparent gateway design in Asterisk
April 29, 2010 Average Vote: 9.8
Kevin Fleming has posted a proposed design for a transparent T.38 gateway for Asterisk:
Asterisk Monitoring with iPhone and iPod touch
February 12, 2010 Average Vote: 9.7
For the past couple of weeks I have been working on an app that allows you to monitor and restart Asterisk servers.
Monitoring Asterisk with Munin
January 7, 2010 Average Vote: 9.7
I had a few requests for these munin plugins after some discussion on one of the Asterisk lists and thought people might like them.
New Zealand Asterisk Voices
March 2, 2006 Average Vote: 9.7
Chris Hodgetts has posted details of recordings of Asterisk Sounds with a New Zealand accent.
Automated Testing Update
July 30, 2010
Russell Bryant has posted details of a new mailing list for automated testing of Asterisk and some information on the progress that has been made. There is no way to say how important I think this work is. It really makes a huge difference to Asterisk and the ability to use it in an enterprise environment. Really great work.
Asterisk 1.8.0-beta2 Now Available
July 28, 2010
The Asterisk Development Team has announced the release of Asterisk 1.8.0-beta2.
HumBug - Pre BETA Launch Registration
July 27, 2010
Nir Simionovich has posted details of the beta of the new call analytics service.
Branch Merging Changes
July 26, 2010
Russell Bryant has posted details of some changes to the way developers need to commit code to Asterisk because of the newly released 1.8 branch.
Asterisk 1.8.0-beta1 is Now Available
July 26, 2010
The Asterisk Development Team has announced the release of Asterisk 1.8.0-beta1. This release marks the beginning of the testing process for the eventual release of Asterisk 1.8.0.
Asterisk 1.6.2.10 Now Available
July 26, 2010
The Asterisk Development Team has announced the release of Asterisk 1.6.2.10.
Asterisk 1.4.34 Now Available
July 26, 2010
The Asterisk Development Team has announced the release of Asterisk 1.4.34.
AppleRaisin - AstDB over realtime
July 23, 2010
Olle has posted a note about his awesome AppleRaisin branch which provides the ability to store AstDB in realtime. This would make for a much simpler failover and clustering situation.
QueueMetrics 1.6.1 released
July 22, 2010
Lenz has posted a note to inform us that QueueMetrics version 1.6.1 has been released. This release offers a large number of bug fixes, misc improvements and new developements including hotdesking.
Asterisk 1.8 Branch Creation
July 22, 2010
Russell Bryant has posted a note to inform us of the creation of the 1.8 branch of Asterisk. |
