Monday, August 10, 2009

Mu Dynamics Labs Discovers, Remediates VoIP Vulnerability

Mu Dynamics announced the discovery and expedited remediation of a dangerous new 0-day vulnerability within Asterisk's implementation of the Session Initiation Protocol (SIP). Specifically, Mu Dynamics Research Labs has discovered a critical SIP software vulnerability that allows an unauthenticated anonymous attacker to crash an Asterisk-based soft switch using only the very first SIP packet, for instance: An INVITE message. The company said other protocol implementations are likely vulnerable to similar failures since reading strings and interpreting the characters as decimal digits is a fairly common programming task, especially in string-based protocols such as HTTP, RTSP, SMTP, etc. In order to prevent VoIP service downtime from similar software weakness in complex code, SIP implementations must be subjected to variations on real world service-level traffic throughout the development and deployment life cycles.

"As usual, when a 0-day vulnerability is discovered and remediated, the users of this software are urged to immediately upgrade to the patched version of the product, in this case Digium's Asterisk," said Thomas Maufer, Mu Dynamics' Director of Technical Marketing. "The Mu Dynamics Research Team appreciates Digium's rapid response time in producing a fix to this serious bug in less than two weeks."

See also