Multiple Remote unauthenticated stack overflows in Asterisk chan_sip.c, specifically two closely related stack based buffer overflows exist in the SIP/SDP handler.

These vulnerabilities can be triggered with a number of different SIP messages affecting calls received by Asterisk, or in response to calls made by Asterisk.

Description:

Asterisk is vulnerable to two related issues affecting handling of SIP/SDP network traffic. These issues can lead to an attacker taking control of a vulnerable server / system that is running Asterisk.

Asterisk developers have released an update to address this issue.

Mitigation:

Update to the latest versions of Asterisk or AsteriskNOW as appropriate.

Updates:

http://www.asterisk.org

Source:

NGS Software (nisr <at> ngssoftware.com)

Exploits:

NGS Software (nisr <at> ngssoftware.com)