VoIP testing outfit Mu Dynamics has discovered a vulnerability within Asterisk's implementation of Session Initiation Protocol (News - Alert) (News - Alert) ­– or "SIP" – that can lead to malicious attacks.

 

The potentially dangerous 0-day vulnerability was located by Mu Dynamics Research Labs and identified as a critical SIP software flaw that could allow anonymous attackers to crash an Asterisk (News - Alert)-based softswitch using only the very first SIP packet.

 

“As usual, when a 0-day vulnerability is discovered and remediated, the users of this software are urged to immediately upgrade to the patched version of the product, in this case Digium’s (News - Alert) Asterisk,” said Thomas Maufer, Mu Dynamics’ director of technical marketing.

 

Digium, the developer of open source telephony platform Asterisk, leverages SIP as the standards-based session control protocol that manages calls over a VoIP infrastructure.

 

Because SIP offers a wide variety of constantly changing optional features and vendor-specific enhancements or proprietary extensions, the implementation must be robust. It receives call management messages from a variety of other implementations. Otherwise, vulnerabilities could wreak havoc.

 

Asterisk’s SIP implementation is the critical interface between the unfriendly outside world and the internals of the Asterisk code base, according to Maufer.

 

In addition, there may be several more protocol implementations vulnerable to similar failures because “reading strings and interpreting the characters as decimal digits” is a fairly common programming task, especially in string-based protocols such as HTTP, RTSP, SMTP, according to Mu Dynamics.

 

In order to prevent VoIP service downtime from similar software weakness in complex code, SIP implementations must be subjected to variations on real world service-level traffic throughout the development and deployment life cycles.

 

“The Mu Dynamics Research Team appreciates Digium’s rapid response time in producing a fix to this serious bug in less than two weeks,” said Maufer.

 

For both operators offering VoIP services and vendors, products require continuous monitoring to prove they can tolerate a wide variety of inputs without experiencing service degradation or downtime.