Aí, pros admins que tão usando o asterisk, parece que apareceu algum probleminha e é bom atualizar quem tiver com versões mais antigas do PBX.
- Fabrício
--- Begin Message ---The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com - - promotion The SecuriTeam alerts list - Free, Accurate, Independent. Get your security news from a reliable source. http://www.securiteam.com/mailinglist.html - - - - - - - - - Asterisk SIP DoS Vulnerability (Empty REGISTER) ------------------------------------------------------------------------ SUMMARY " <http://www.asterisk.org/> Asterisk is the most popular and extensible open source telephone system in the world, offering flexibility, functionality and features not available in advanced, high-end (high-cost) proprietary business systems. Asterisk is a complete IP PBX (private branch exchange) for businesses, and can be downloaded for free." Due to bad handling by Asterisk's SIP parser, a remote attacker can cause the product to crash by sending it a malformed SIP REGISTER request. DETAILS Vulnerable Systems: * Asterisk versions 1.2.15 and 1.4.0, and earlier. Asterisk crashes when handed an otherwise valid request message but with no URI and no SIP-version in the request-line of the message. For example, "REGISTER\r\n <other valid SIP headers>". The crash is due to a null pointer dereference, and does not appear to be otherwise exploitable. Vendor Status: Fixed in releases 1.2.16 and 1.4.1. Available from <http://www.asterisk.org> http://www.asterisk.org Disclosure Timeline: * March 1, 2007 - First contact with vendor * March 2, 2007 - Vendor acknowledges vulnerability * March 7, 2007 - Advisory released * March 9, 2007 - Advisory updated with correct dates ADDITIONAL INFORMATION The information has been provided by musecurity. The original article can be found at: <http://labs.musecurity.com/advisories/MU-200703-01.txt> http://labs.musecurity.com/advisories/MU-200703-01.txt ======================================== This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: [EMAIL PROTECTED] In order to subscribe to the mailing list, simply forward this email to: [EMAIL PROTECTED] ==================== ==================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
--- End Message ---
---------------------------------------- Estação VoIP 2006 5 e 6 Dezembro Curitiba PR http://www.estacaovoip.com.br _______________________________________________ LIsta de discussões AsteriskBrasil.org AsteriskBrasil@listas.asteriskbrasil.org http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil _______________________________________________ Acesse o wiki AsteriskBrasil.org: http://www.asteriskbrasil.org
