SUNNYVALE, Calif. -- Mu Security, a pioneer in the new security analyzer market, has discovered a remote DoS in Asterisk SIP vulnerability. See: http://labs.musecurity.com/advisories.html
Affected Products/Versions: Asterisk versions 1.2.15 and 1.4.0, and earlier.
Product Overview: http://www.asterisk.org/
Asterisk is the most popular and extensible open source telephone system in the world, offering flexibility, functionality and features not available in advanced, high-end (high-cost) proprietary business systems. Asterisk is a complete IP PBX (private branch exchange) for businesses, and can be downloaded for free.
Asterisk crashes when handed an otherwise valid request message but with no URI and no SIP-version in the request-line of the message. For example, "REGISTER\r\n
Vendor Response / Solution: Fixed in releases 1.2.16 and 1.4.1. Available from http://www.asterisk.org
March 1, 2006 - First contact with vendor
March 2, 2006 - Vendor acknowledges vulnerability
March 7, 2006 - Advisory released
Credit: This vulnerability was discovered by the Mu Security research team. http://labs.musecurity.com/pgpkey.txt