Securing asterisk - help for a master student


#1

Hi,

I am currently doing my masters in computer science and am focusing on security issues that affect softswitches. Is Asterisk really secure because I have only found 5 documented vulnerabilities for it. What are recommandition for securing a softswith. I see that alot of companies are just putting sip firewalls, SBC and vlan onto their networks. Is this the only way?

Thanks
jake


#2

Can you tell us which are the 5 documented cases?

Are you thinking about SRTP, MIM or den. of service attacks?

C.


#3

Here are the 5 documented case that I have found:

• vmail.cgi folder Variable Traversal Arbitrary .wav File Access
• Asterisk Manager CLI Command Overflow
• CallerID SQL Injection
• SIP Implementation Issue
• Logging Format String Vulnerabilities

I am looking at the actual softswitch and how to secure it from attacks. Like how to secure Asterisk from a DOS attack.

jake


#4

I’m not very sure, but I think that this cases:
• vmail.cgi folder Variable Traversal Arbitrary .wav File Access
• Asterisk Manager CLI Command Overflow
• CallerID SQL Injection

are not currently occurring in ASterisk 1.2;

If you are inerested for the SIP Implementation Issue, look here:

bugs.digium.com/view_all_bug_page.php

C.


#5

Yes none of the 5 cases that I posted do not occur in the latest versions of Asterisk. I am wanting to know if there are any other vulnerabilities that have be found in Asterisk beside the 5 that i have mentioned.