A vulnerability in the Asterisk private branch exchange (PBX) server that enables an attacker to gain complete control of a PBX system has been discovered by an Australian and New Zealand security outfit Security-Assessment.com.The exploit allows an attacker to spoof caller-IDs, sniff voice calls on the network and take complete control of the system. No public exploits of the vulnerability have been released since it was discovered on Oct. 18. Asterisk was notified of the discovery on Tuesday, Oct. 17. A patch for the vulnerability was released by Asterisk the following day. Adam Boileau, senior security consultant for Security-Assessment.com, said the vulnerability directly affects the Asterisk versions 1.0 and 1.2. Version 1.4, currently in development, is not affected. Boileau said the vulnerability lies before the calls are authorized within the PBX and is restricted to a vulnerability within the Asterisk phone server when “talking” to Cisco phones.“The vulnerability occurs early in the connection when Asterisk opens a port. Cisco phones communicate on [2000/TCP, Skinny Client Control Protocol], and the first packet you send is used to exploit the vulnerability before any configuration occurs,” Boileau said. “This means you activate the exploit before pre-authentication on the network and before any error handling occurs, which makes it a really nice vulnerability to exploit; it is straightforward with only a few dependencies.”Boileau said it is a combination of two normal classes of vulnerabilities and when it is together provides the right root access.“We have written the exploit internally and have no intention of releasing it. There is no public material available to use this as a functional exploit; however, there are some problems running this exploit in a production environment,” he said.“The proof of concept is exploitable, and it would take a skilled black hat just a few days to make a reliable weaponized exploit for a script kiddie.”Boileau said use of Asterisk is not so common in the corporate analog phone space, but is used heavily in the ISP and voice-over-IP market.-Michael Crawford, Computerworld Australia Check out our CIO News Alerts and Tech Informer pages for more updated news coverage. Related content brandpost API security: key to interoperability or key to an organization? Understanding the risks of using APIs and how to prepare to address those risks. By Keith Zelinski, Managing Director, Technology Consulting May 31, 2023 6 mins Digital Transformation brandpost Designing the campus of the future starts with high-quality 10 Gbps connectivity By Huawei May 31, 2023 4 mins Network Architect Networking Devices Networking brandpost How an Indian real-estate juggernaut keeps growing by harnessing the power of zero A South Indian real-estate titan is known for the infinite variety and impressive scale of its projects, but one of its most towering achievements amounts to nothing literally. By Michael Kure, SAP Contributor May 31, 2023 5 mins Digital Transformation brandpost Hybrid working: the new workplace normal IT leaders discuss how a more broadly dispersed workforce impacts device deployment, connectivity, and the employee experience, even as more workers return to the office. By Michael Krieger May 31, 2023 5 mins Remote Work Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe