Core Security Technologies Uncovers Vulnerabilities in Popular Phone Communications Software
Posted on: Monday, 12 June 2006, 09:00 CDT
Attacker Could Exploit holes to Monitor, Control or Disable Companies' Phone Systems, or Potentially Gain Entry into Other Critical Network Systems
Core Security Technologies, provider of CORE IMPACT, the first-to-market penetration testing product for assessing specific information security risks, today published two advisories regarding vulnerabilities that could severely impact enterprise phone systems. Core researchers from CoreLabs discovered that, by exploiting either of these buffer overflow vulnerabilities, an attacker could remotely execute code and take control of an organization's entire voice communications system. These vulnerabilities could also serve as entry points for attackers to compromise other critical network systems. Specifically, the vulnerabilities affect:
-- Asterisk PBX (Private Branch Exchange), widely-used open
source software for phone systems that supports an extensive
range of VoIP equipment, protocols and features including
voicemail, interactive voice response, call queuing, three-way
calling, caller ID services and more.
-- IAXclient, an open source library that implements the IAX2
VoIP protocol used by several VoIP software phones. Core
Security discovered two vulnerabilities that affect VoIP
software phones which implement the IAX2 protocol using the
IAXclient library.
"These vulnerabilities exemplify the need to address and act upon IP telephony and VoIP security threats in a serious, proactive and systematic manner," said Ivan Arce, CTO at Core Security Technologies. "It's a testament to the dedication and responsiveness of the developers involved with both of these widely used open source software products that security fixes were made available so quickly to their users."
Vulnerability Specifics:
Asterisk PBX truncated video frame vulnerability--The Asterisk-specific IAX2 protocol includes support for transmission of video between the IAX2 clients that implement this feature. A vulnerability found in the Asterisk's handling of IAX2 video frames could lead to the remote compromise of the system running the software PBX through execution of arbitrary code of the attacker's choosing with the privileges of the Asterisk daemon. The vulnerability affects Asterisk PBX software versions up to and including v1.2.8.
IAXclient truncated frames vulnerabilities--IAXclient is an open source library that implements the IAX2 VoIP protocol used by the Asterisk IP PBX and several VoIP software phones. Two vulnerabilities have been discovered in the library that may grant attackers remote execution of arbitrary code on systems using software packages that rely on the library to implement the IAX protocol support. Although these vulnerabilities were discovered and tested using in the IDE FISK software phone, other software packages that use the IAXclient library are also vulnerable.
The maintainers of the vulnerable software have updated their packages with fixed versions For more information on both vulnerabilities, the systems they affect and their corresponding security fixes please visit: http://www.coresecurity.com/common/showdoc.php?idx=547&idxseccion=10 and http://www.coresecurity.com/common/showdoc.php?idx=548&idxseccion=10
About CoreLabs
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. Research is conducted in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Results from these efforts include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/
About Core Security Technologies
Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide. The company's flagship product, CORE IMPACT, is the first automated penetration testing product for assessing specific information security threats to an organization. Penetration testing evaluates overall network security and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core augments its leading technology solution with world-class security consulting services, including penetration testing, software security auditing and related training. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.
Source: Business Wire
Related Articles
- Network Security Software Developer Primonics and MBX Systems Partner to Manufacture Syncsafe Authentication Gateway Appliance
- Lightspeed Systems Launches TTC V7.0 All-Inclusive Network Security Software for Schools
- Secure Software and Praxis Engineering Team to Deliver Application Security to Federal Markets; Proven Software and Services Offering Integrates Application Security Early Into SDLC
- Texas Instruments Latest VoIP System-on-Chip, Software Puts Customers on Fast- Track to Residential Applications
- Pravir Chandra Rejoins Secure Software As Chief Security Architect
- Mindspeed(R) and Legerity Join Forces to Simplify VoIP System Development for Carrier and Broadband Access Equipment
- Atmel and Wave Systems Announce Licensing of Secure Software for Trusted Computing Group V1.2- Specified TPM ICs; Delivers an Off-the-Shelf TCG-Enabled Security Solution for Desktop and Laptop PCs
- Microsoft in Deal for Anti-Virus Company; Sybari Sells Security Software
- Sun Microsystems to Buy Austin, Texas, Maker of Security Software
- Security Software Maker Symantec to Buy Waltham, Mass.-Based On Technology
 |
 |
User Comments (0)
RSS Feeds