Mu Finds Remote DOS

SUNNYVALE, Calif. -- Mu Security, a pioneer in the new security analyzer market, has discovered a remote DoS in Asterisk SIP vulnerability. See: http://labs.musecurity.com/advisories.html

Affected Products/Versions: Asterisk versions 1.2.15 and 1.4.0, and earlier.

Product Overview: http://www.asterisk.org/

Asterisk is the most popular and extensible open source telephone system in the world, offering flexibility, functionality and features not available in advanced, high-end (high-cost) proprietary business systems. Asterisk is a complete IP PBX (private branch exchange) for businesses, and can be downloaded for free.

Vulnerability Details:

Asterisk crashes when handed an otherwise valid request message but with no URI and no SIP-version in the request-line of the message. For example, "REGISTER\r\n ". The crash is due to a null pointer dereference, and does not appear to be otherwise exploitable.

Vendor Response / Solution: Fixed in releases 1.2.16 and 1.4.1. Available from http://www.asterisk.org

History: March 1, 2006 - First contact with vendor
March 2, 2006 - Vendor acknowledges vulnerability
March 7, 2006 - Advisory released

Credit: This vulnerability was discovered by the Mu Security research team. http://labs.musecurity.com/pgpkey.txt

Mu Security Inc.