According to the findings of security company Internet Security Systems (ISS), two flaws in the open source public branch exchange (PBX) system Asterisk could allow hackers to disrupt a business's phone system or VoIP gateway by flooding the system with bogus calls, according to the ISS X-Force Threat Analysis Service, which discovered the vulnerability.
The bugs were found in the Inter-Asterisk eXchange protocol version 2 (IAX2).
"Users of VoIP systems must be mindful not only of DoS vulnerabilities in their VoIP PBX implementations, such as the vulnerability discovered in Asterisk, but underlying VoIP protocol weaknesses that may leave organizations open to vishing, a new security threat that uses VoIP to steal user information, and spam over the VoIP network," said Chris Rouland, CTO of ISS.
It also discovered a second vulnerability that allows an attacker to leverage accounts without passwords on an Asterisk PBX network to flood another network with large amounts of traffic. The volume of traffic can saturate the victim's internet connection and cause complete denial of internet service to the victim. Additionally, victims of the attack may experience reduced quality of service.
Asterisk has already released a patch to fix the DoS vulnerability. ISS urged Asterisk users to upgrade as soon as possible, or ensure that they do not expose IAX2 services to the public if it is not necessary. Asterisk also said users should ensure that no accounts are configured without passwords.