back to article Asterisk bugs make a right mess of RTP

Admins of the popular IP telephony application Asterisk have a lovely end to the week ahead of them - there's two moderate vulnerabilities, and one critical mess, that need patches. The worst of the three is this one: a bug in the Realtime Transport Protocol (RTP) stack that exposes a system to information disclosure. The …

  1. bombastic bob Silver badge
    Devil

    are these being exploited

    are these vulnerabilities being exploited? perhaps by some of the illegal robocallers? Just wondering...

    I considered setting up Asterisk on my home phone system at one time. It'd be kinda cool, and would help do messaging and keep the cold callers at bay - "press 1 if you are human" and let people get ahold of me that way. Aside from NOT wanting to spend money on a voice modem that's compatible with Asterisk [and a dedicated computer to run it on] I haven't done it, but it would be pretty cool, I bet.

    Well, that's gonna have to wait a bit longer, until after it's patched.

    [I messed with Asterisk a decade or so ago, when the company I was working for was trying to use IP phones over a wifi system with a steering antenna like the Siemens SE568 has - we wanted to see how it affected voice quality with wifi phones, with QoS and other stuff enabled - but nothing since then]

    1. Anonymous Coward
      Anonymous Coward

      Re: are these being exploited

      "Well, that's gonna have to wait a bit longer, until after it's patched."

      The patch is likely to be your lowest risk. You're more likely to be exposed by misconfiguring voicemail , a SIP trunk or just a plain old unsecured box facing the internet.

    2. Anonymous Coward
      Anonymous Coward

      Re: are these being exploited

      If you're using it with a modem only then you aren't using RTP externally so you're safe there.

    3. sanmigueelbeer Silver badge
      Thumb Up

      Re: are these being exploited

      keep the cold callers at bay

      Hello, this is Lenny ...

  2. Christian Berger

    Asterisk has lots of bugs regarding RTP

    One conceptual bug, for example, is that it the codec packets of outgoing packets whenever they get a packet with a differing codec. If you connect 2 Asterisk servers with the right delay, and have 2 or more codecs enabled on those, you'll get constant codec switching.

  3. Anonymous Coward
    Trollface

    But its open source!

    Many eyes, but all looking at pr0n...

    1. Christian Berger

      Re: But its open source!

      Asterisk probably is one of those prime examples of "Open Source" vs "Free Software". It's essentially developed by one single company which is very picky with even patches that would be sensible. (like the Opus Patch that's floating around)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022