Asterisk SIP Remote Authentication Bypass

This script is Copyright (C) 2008-2013 Tenable Network Security, Inc.

Synopsis :

It is possible to bypass authentication and make calls using the
remote VoIP service.

Description :

The version of Asterisk installed on the remote host allows
unauthenticated calls via the SIP channel driver. Using a specially
crafted From header, a remote attacker can bypass authentication and
make calls into the context specified in the 'general' section of

See also :

Solution :

Upgrade to Asterisk 1.2.27 / / 1.4.19-rc3 / 1.6.0-beta6,
Asterisk Business Edition B.2.5.1 / C.1.6.2, AsteriskNOW 1.0.2, Asterisk
Appliance Developer Kit 1.4 revision 109393, s800i (Asterisk Appliance) or later.

Risk factor :

Medium / CVSS Base Score : 5.0
CVSS Temporal Score : 4.1
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 32135 (asterisk_sip_auth_bypass.nasl)

Bugtraq ID: 28310

CVE ID: CVE-2008-1332