Skinny Channel Driver Remote Crash Vulnerability

Report
Question

A previously developed patch dealt with a denial of service attack exploitable in the Skinny channel driver that occurred when certain messages are sent after a previously registered station sends an Off Hook message. Unresolved in that patch is an issue in the Asterisk 10 releases, wherein, if a Station Key Pad Button Message is processed after an Off Hook message, the channel driver will inappropriately dereference a Null pointer. Similar to the problem solved with the previous patch, a remote attacker with a valid SCCP ID can use this vulnerability by closing a connection to the Asterisk server when a station is in the "Off Hook" call state and…

VoIP News 3.1 years ago 0 Answers

Asterisk 10.5.1 Now Available (Security Release)

Report
Question

The Asterisk Development Team has announced a security release for Asterisk 10.
This security release is released as version 10.5.1. The release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases The release of Asterisk 10.5.1 resolves the following issue: * A remotely exploitable crash vulnerability was found in the Skinny (SCCP)
Channel driver. When an SCCP client sends an Off Hook message, followed by
a Key Pad Button Message, a structure that was previously set to NULL is
dereferenced. This allows remote authenticated connections the ability to
cause a crash in the server,…

Asterisk Users 3.1 years ago 0 Answers

SCCP Questions

Report
Question

Hi List, Has anyone been running SCCP with a larger number of phones? Im looking to
deploy like 75+ phones and I want to keep SCCP so I don't have to upgrade
them and for the SLA, some phones also have no SIP software for them so im
forced to keep SCCP. Does anyone have any experience with this? From what
ive read the SCCP support works and works well, im just worried about
trying to run this many phones and if im missing any sort of issues that
could come up. Thanks!

Asterisk Users 3.1 years ago 4 Answers

Certified Asterisk 1.8.11-cert2; Asterisk 1.8.12.1, 10.4.1 Now Available (Security Release)

Report
Question

The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are
released as versions 1.8.11-cert2, 1.8.12.1, and 10.4.1. These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases The release of Asterisk 1.8.11-cert2, 1.8.12.1, and 10.4.1 resolve the following
two issues: * A remotely exploitable crash vulnerability exists in the IAX2 channel
driver if an established call is placed on hold without a suggested music
class. Asterisk will attempt to use an invalid pointer to the music
on hold class name,…

Asterisk Users 3.1 years ago 0 Answers