A leading penetration testing vendor announced today that it found three vulnerabilities that put enterprise telephone infrastructure critically at risk.
Officials from Core Security Technologies reported that a wide range of telephony systems are open to attack through the trio of buffer overflow vulnerabilities found by its in-house researchers.
The first vulnerability affects AsteriskPBX, a popular open source program that supports VoIP equipment, protocols and features. The exposure arises through Asterisk’s IAX2 protocol, which supports video transmission. The way the program handles IAX2 video frames leaves it open to a remote compromise of the system. All Asterisk PBX software versions up to and including v1.2.8 are at risk.
The other vulnerabilities impacts IAXclient, an open source library used by the IAX2 protocol found in Asterisk IP PBX and numerous VoIP software phones. The two vulnerabilities allow remote execution of code on systems using software that relies on the library to implement IAX protocol support.
Researchers at Core Security said that the vulnerabilities are not a garden-variety buffer overflow.
“It is not the most common kind of buffer overflow, it is a little bit more obscure,” said Max Caceres, director of product management for Core Security. “Sometimes people refer to these attacks as integer overflows. The end result is the same as the buffer overflow — but the main difference is that they are a little bit harder to find.”
Caceres said that his company worked closely with Asterisk to make patches available for these exposure points. He encouraged IT departments to ensure that their telephony systems are protected with timely patches.
“Traditionally people don’t think of telephony systems as things they need to protect from vulnerabilities or attack, but as telephony converges with data networks they are subject to the same issues we’ve seen before,” he said. “This is just another component sitting on the network that can be used to launch additional attacks.”