Bug Bites VOIP Apps

Users of two popular open-source VOIP applications could come under attack if they don't patch their software quickly, a security researcher said today.

The vulnerability could enable attackers to create buffer overflows in VOIP networks, effectively creating a denial-of-service attack on networks that use the software, according to Core Security Technologies, which discovered the threat.

Asterisk PBX, a widely used open-source application that provides private branch exchange features for VOIP networks, and IAX client, an open-source library that runs VOIP protocols for several IP software phones, are the two systems at risk. The two applications are widely used in small businesses where conventional IP-PBX software is too expensive. But Asterisk also serves as the underlying software for enterprise-level and service-provider products, such as Aspect Software's contact center application and SIPphone's Gizmo Project.

The two applications contain a design flaw in which they fail to check for malformed UDP packets, according to Ivan Arce, CTO at Core Security. "An attacker can easily create a buffer overflow by sending an abundance of packets that are too short," he says.

Get all the details at Dark Reading.

— Tim Wilson, Site Editor, Dark Reading

American Indian 12/5/2012 | 3:51:52 AM
re: Bug Bites VOIP Apps

This open source "bug" was fixed weeks ago - the beauty of open source. Your article did not reflet this occurrence which is important.

Cisco, Nortel, Alcatel, Microsoft, etc. -- would take forever for a patch.

Stop paying for someone's name - go open source. It is solid software and literally thousands od folks jump in when there is a problem and it gets fixed.
Sign In