Users of two popular open-source VOIP applications could come under attack if they don't patch their software quickly, a security researcher said today.


The vulnerability could enable attackers to create buffer overflows in VOIP networks, effectively creating a denial-of-service attack on networks that use the software, according to Core Security Technologies, which discovered the threat.



Asterisk PBX, a widely used open-source application that provides private branch exchange features for VOIP networks, and IAX client, an open-source library that runs VOIP protocols for several IP software phones, are the two systems at risk. The two applications are widely used in small businesses where conventional IP-PBX software is too expensive. But Asterisk also serves as the underlying software for enterprise-level and service-provider products, such as Aspect Software's contact center application and SIPphone's Gizmo Project.



The two applications contain a design flaw in which they fail to check for malformed UDP packets, according to Ivan Arce, CTO at Core Security.

"An attacker can easily create a buffer overflow by sending an abundance of packets that are too short,"

he says.


Source: Light Reading


Add to Google
Technorati tags: asterisk pbxiax clientsipphonevoip vulnerabilities
Flickr tags: asterisk pbxiax clientsipphonevoip vulnerabilities
Tags: asterisk pbx, iax client, sipphone, voip vulnerabilities
Categories: VoIP News
Add To My Favourites