icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

Asterisk Peer IAX2 Call Handling ACL Rule Bypass (AST-2012-013)

Medium

Synopsis

The remote VoIP server is affected by a security bypass vulnerability.

Description

According to the version in its SIP banner, the version of Asterisk running on the remote host is potentially affected by a vulnerability that could allow a remote, authenticated attacker to bypass access controls on out-bound calls.

Inter-Asterisk eXchange (IAX2) out-bound call restrictions can be bypassed if peer credentials, defined in a dynamic Asterisk Realtime Architecture (ARA) backend, are used by an attacker.

Solution

Upgrade to Asterisk 1.8.15.1 / 10.7.1 or apply the patches listed in the Asterisk advisory