Asterisk IAX2 (IAX) POKE Request Saturation Resource Exhaustion Remote DoS
Medium Nessus Plugin ID 33576
SynopsisThe remote VoIP service is susceptible to a remote denial of service attack.
DescriptionThe version of Asterisk running on the remote host consumes an IAX2 call number while waiting for an ACK packet in response to a PONG packet. By flooding the affected service with POKE requests, an unauthenticated, remote attacker can leverage this issue to exhaust all available call numbers and prevent legitimate IAX2 calls from getting through.
SolutionUpgrade to Asterisk Open Source 18.104.22.168 / 1.2.30, Asterisk Business Edition C.2.0.3 / C.1.10.3 / B.2.5.4, s800i (Asterisk Appliance) 22.214.171.124 or later.