Vigil@nce: Asterisk, denial of service via IAX2 Call Number
September 2009 by Vigil@nce
An attacker can use all available call numbers, in order to
generate a denial of service on Asterisk.
Severity: 2/4
Consequences: denial of service of service
Provenance: internet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 04/09/2009
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The IAX2 protocol dissociates messages using a call number, which
is stored on 15 bits (32768 values).
However, an attacker can open 32768 sessions, in order to use all
available numbers. Legitimate users are no longer able to use the
service.
An attacker can thus use all available call numbers, in order to
generate a denial of service on Asterisk.
CHARACTERISTICS
Identifiers: AST-2009-006, BID-36275, CVE-2009-2346,
VIGILANCE-VUL-8999
http://vigilance.fr/vulnerability/Asterisk-denial-of-service-via-IAX2-Call-Number-8999