Core Security Technologies Uncovers Vulnerabilities in Popular Phone Communications Software.BOSTON -- Attacker Could Exploit holes to Monitor, Control or Disable Companies' Phone Systems, or Potentially Gain Entry into Other Critical Network Systems Core Security Technologies, provider of CORE IMPACT, the first-to-market penetration testing product for assessing specific information security risks, today published two advisories regarding vulnerabilities that could severely impact enterprise phone systems. Core researchers from CoreLabs discovered that, by exploiting either of these buffer overflow A common cause of malfunctioning software. If the amount of data written into a buffer exceeds the size of the buffer, the additional data will be written into adjacent areas, which could be buffers, constants, flags or variables. vulnerabilities, an attacker could remotely execute code and take control of an organization's entire voice communications system In telecommunication, a communications system is a collection of individual communications networks, transmission systems, relay stations, tributary stations, and data terminal equipment (DTE) usually capable of interconnection and interoperation to form an integrated whole. . These vulnerabilities could also serve as entry points for attackers to compromise other critical network systems. Specifically, the vulnerabilities affect: --Asterisk PBX (Private Branch eXchange) An inhouse telephone switching system that interconnects telephone extensions to each other as well as to the outside telephone network (PSTN). (Private Branch Exchange), widely-used open source software for phone systems that supports an extensive range of VoIP equipment, protocols and features including voicemail, interactive voice response, call queuing, three-way calling Noun 1. three-way calling - a way of adding a third party to your conversation without the assistance of a telephone operator conference call - a telephone call in which more than two people participate , caller ID A telephone company service that sends the caller's telephone number between the first and second ring of the call. If the calling number is not blocked, the calling number is displayed on the handset or base station of the called party. services and more. --IAXclient, an open source library that implements the IAX See Asterisk PBX. 2 VoIP protocol used by several VoIP software phones. Core Security discovered two vulnerabilities that affect VoIP software phones which implement the IAX2 protocol using the IAXclient library. "These vulnerabilities exemplify the need to address and act upon IP telephony The two-way transmission of voice over a packet-switched IP network, which is part of the TCP/IP protocol suite. The terms "IP telephony" and "voice over IP" (VoIP) are synonymous. and VoIP security threats in a serious, proactive and systematic manner," said Ivan Arce, CTO (Chief Technical Officer) The executive responsible for the technical direction of an organization. See CIO and salary survey. at Core Security Technologies. "It's a testament to the dedication and responsiveness of the developers involved with both of these widely used open source software products that security fixes were made available so quickly to their users." Vulnerability Specifics: Asterisk PBX Open source PBX software that runs under Linux and other Unix variants on a variety of hardware, including x86, PowerPC, POWER and Xscale. Supporting traditional telephony (TDM) as well as voice over IP (VoIP), Asterisk is written in C and uses the Unix standard POSIX programming truncated video frame vulnerability--The Asterisk-specific IAX2 protocol includes support for transmission of video between the IAX2 clients that implement this feature. A vulnerability found in the Asterisk's handling of IAX2 video frames could lead to the remote compromise of the system running the software PBX through execution of arbitrary code In computer security, arbitrary code is executable code introduced externally that runs despite the intent of the original programmer. The code is injected into a currently-running application or its memory space, thus making the application execute the code. of the attacker's choosing with the privileges of the Asterisk daemon. The vulnerability affects Asterisk PBX software versions up to and including v1.2.8. IAXclient truncated frames vulnerabilities--IAXclient is an open source library that implements the IAX2 VoIP protocol used by the Asterisk IP PBX and several VoIP software phones. Two vulnerabilities have been discovered in the library that may grant attackers remote execution of arbitrary code on systems using software packages that rely on the library to implement the IAX protocol support. Although these vulnerabilities were discovered and tested using in the IDE FISK Fisk , James 1834-1872. American railroad financier and speculator who attempted in 1869 to corner the gold market with Jay Gould, leading to Black Friday, a day of nationwide financial panic. software phone, other software packages that use the IAXclient library are also vulnerable. The maintainers of the vulnerable software have updated their packages with fixed versions For more information on both vulnerabilities, the systems they affect and their corresponding security fixes please visit: http://www.coresecurity.com/common/showdoc.php?idx=547&idxseccion=10 and http://www.coresecurity.com/common/showdoc.php?idx=548&idxseccion=10 About CoreLabs CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. Research is conducted in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Results from these efforts include problem formalization for·mal·ize tr.v. for·mal·ized, for·mal·iz·ing, for·mal·iz·es 1. To give a definite form or shape to. 2. a. To make formal. b. , identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/ About Core Security Technologies Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide. The company's flagship product, CORE IMPACT, is the first automated penetration testing product for assessing specific information security threats to an organization. Penetration testing evaluates overall network security and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core augments its leading technology solution with world-class security consulting services, including penetration testing, software security auditing and related training. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion