Asterisk Peer IAX2 Call Handling ACL Rule Bypass (AST-2012-013)
Medium Nessus Network Monitor Plugin ID 6568
SynopsisThe remote VoIP server is affected by a security bypass vulnerability.
DescriptionAccording to the version in its SIP banner, the version of Asterisk running on the remote host is potentially affected by a vulnerability that could allow a remote, authenticated attacker to bypass access controls on out-bound calls.
Inter-Asterisk eXchange (IAX2) out-bound call restrictions can be bypassed if peer credentials, defined in a dynamic Asterisk Realtime Architecture (ARA) backend, are used by an attacker.
SolutionUpgrade to Asterisk 188.8.131.52 / 10.7.1 or apply the patches listed in the Asterisk advisory