A vulnerability in the Asterisk PBX server that enables an attacker to gain complete control of a PBX system has been discovered by an Australian and New Zealand security outfit
The exploit allows an attacker to spoof caller-IDs, sniff voice calls on the network and take complete control of the system. No public exploits of the vulnerability have been released since it was discovered on October 18 this year.
Adam Boileau, senior security consultant for Security-Assessment.com, said the vulnerability directly affects the Asterisk versions 1.0 and 1.2.
Version 1.4, currently in development, is not affected. Boileau said the vulnerability lies before the calls are authorized within the PBX and is restricted to a vulnerability within the Asterisk phone server when "talking" to Cisco phones.
"The vulnerability occurs early in the connection when Asterisk opens a port. Cisco phones communicate on (2000/TCP, Skinny Client Control Protocol) and the first packet you send is used to exploit the vulnerability before any configuration occurs," Boileau said.
"This means you activate the exploit before pre-authentication on the network and before any error handling occurs which makes it a really nice vulnerability to exploit; it is straightforward with only a few dependencies."
Boileau said it is a combination of two normal classes of vulnerabilities and when it is together provides the right root access.
"We have written the exploit internally and have no intention of releasing it. There is no public material available to use this as a functional exploit; however, there are some problems running this exploit in a production environment," he said.
"The proof of concept is exploitable and it would take a skilled black hat just a few days to make a reliable weaponised exploit for a script kiddie."
Boileau said use of Asterisk is not so common in the corporate analog phone space but is used heavily in the ISP and VoIP market.
Asterisk was notified of the discovery on Tuesday October 17. A patch for the vulnerability was released by Asterisk on Wednesday October 18.