by CIO Staff

Exploit in Asterisk PBX Software Patched

Oct 24, 20062 mins
Enterprise Applications

A vulnerability in the Asterisk private branch exchange (PBX) server that enables an attacker to gain complete control of a PBX system has been discovered by an Australian and New Zealand security outfit

The exploit allows an attacker to spoof caller-IDs, sniff voice calls on the network and take complete control of the system. No public exploits of the vulnerability have been released since it was discovered on Oct. 18.

Asterisk was notified of the discovery on Tuesday, Oct. 17. A patch for the vulnerability was released by Asterisk the following day.

Adam Boileau, senior security consultant for, said the vulnerability directly affects the Asterisk versions 1.0 and 1.2.

Version 1.4, currently in development, is not affected. Boileau said the vulnerability lies before the calls are authorized within the PBX and is restricted to a vulnerability within the Asterisk phone server when “talking” to Cisco phones.

“The vulnerability occurs early in the connection when Asterisk opens a port. Cisco phones communicate on [2000/TCP, Skinny Client Control Protocol], and the first packet you send is used to exploit the vulnerability before any configuration occurs,” Boileau said.

“This means you activate the exploit before pre-authentication on the network and before any error handling occurs, which makes it a really nice vulnerability to exploit; it is straightforward with only a few dependencies.”

Boileau said it is a combination of two normal classes of vulnerabilities and when it is together provides the right root access.

“We have written the exploit internally and have no intention of releasing it. There is no public material available to use this as a functional exploit; however, there are some problems running this exploit in a production environment,” he said.

“The proof of concept is exploitable, and it would take a skilled black hat just a few days to make a reliable weaponized exploit for a script kiddie.”

Boileau said use of Asterisk is not so common in the corporate analog phone space, but is used heavily in the ISP and voice-over-IP market.

-Michael Crawford, Computerworld Australia

Check out our CIO News Alerts and Tech Informer pages for more updated news coverage.