The IAX2 Implementation of The Inter-Asterisk Exchange (IAX) Protocol within Asterisk contains a vulnerability possibly allowing a remote attacker to receive unauthorized, although most likely unless, garbage data.

chan_iax2 assumes that text frames are NULL terminated (C string format). If someone sends a zero byte frame, Asterisk will forward that zero length frame along with additional, unintended data.

Resolution
The Asterisk source code has been modified to enforce null-termination of incoming text frames received by the IAX2 channel driver (chan_iax2). When text frames are received without null-termination, this may result in the last byte of data in the frame being lost, if the IAX2 reception process does not have space in its receive buffer to add a null character.

This vulnerability is classified as ‘low’ and did not warrant a specific release of new versions. The fix for this vulnerability has been committed to the Subversion code repository.

For those looking to acquire this fix immediately, you can checkout one of the following SVN Revisions:

SVN 1.2 Branch Revision 62691
SVN 1.4 Branch Revision 62692

Vulnerable Versions:

• Asterisk Versions Prior to 1.2.19
• Asterisk Versions Prior to 1.4.4
• Asterisk Business Edition Versions A.x.x
• Asterisk Business Edition Versions Prior to B.2.1
• AsteriskNOW Versions Prior to and Including Beta 5
• Asterisk Appliance Developer Kit Versions Prior 0.4.1

Related Posts:
AST-2007-023 - SQL Injection Vulnerability: cdr_addon_mysql
IAX Poke Resource Exhaustion
A New Timing API for Asterisk, Silencing Digium Critics
The Last HOPE
Vonage Users Vulnerable to VoIP Identity Theft