Bug Bites VOIP Apps
The vulnerability could enable attackers to create buffer overflows in VOIP networks, effectively creating a denial-of-service attack on networks that use the software, according to Core Security Technologies, which discovered the threat.
Asterisk PBX, a widely used open-source application that provides private branch exchange features for VOIP networks, and IAX client, an open-source library that runs VOIP protocols for several IP software phones, are the two systems at risk. The two applications are widely used in small businesses where conventional IP-PBX software is too expensive. But Asterisk also serves as the underlying software for enterprise-level and service-provider products, such as Aspect Software's contact center application and SIPphone's Gizmo Project.
The two applications contain a design flaw in which they fail to check for malformed UDP packets, according to Ivan Arce, CTO at Core Security. "An attacker can easily create a buffer overflow by sending an abundance of packets that are too short," he says.
Get all the details at Dark Reading.
— Tim Wilson, Site Editor, Dark Reading