Cybersecurity specialists report the discovery of two critical vulnerabilities in Asterisk, a popular open source Voice over Internet Protocol (VoIP) telephony solution that provides call center functions. According to the report, successful exploitation of these flaws would allow threat actors to deploy denial of service (DoS) attacks on vulnerable deployments.

Below are brief descriptions of the reported flaws, in addition to their respective identification keys and scores assigned according to the Common Vulnerability Scoring System (CVSS).

CVE-2021-31878: Improper management of internal resources within the application in the PJSIP channel controller in res_pjsip_session.c would allow remote users to send re-INVITE messages without SDP after Asterisk has sent a BYE request, resulting in a DoS condition.

This is a medium severity flaw and received a CVSS score of 3.8/10 on the affected systems.

CVE-2021-32558: This flaw exists due to incorrect validation of user-provided input in the IAX2 channel driver chan_iax2.c. Remote threat actors can send a packet that contains an unsupported media format, resulting in a DoS condition.

This is a medium severity flaw that received a CVSS score of 6.5/10.

Both flaws reside in the following versions of Asterisk: 13.23.0 rc1, 13.24.0 rc1, 13.25.0 rc1, 13.26.0 rc1, 13.27.0 rc1, 13.28.0 rc1, 13.29.0 rc1, 13.30.0 rc1, 13.31.0 rc1, 13.32.0 rc1, 13.33.0 rc1, 13.34.0 rc1, 13.35.0 rc1, 13.36.0 rc1, 13.37.0 rc1, 13.38.0, 13.38.0 rc1, 13.38.1, 13.38.2, 16.2.0 rc1, 16.3.0 rc1, 16.4.0 rc1, 16.5.0 rc1, 16.6.0 rc1, 16.7.0 rc1, 16.8.0 rc1, 16.9.0 rc1, 16.10.0 rc1, 16.11.0 rc1, 16.12.0 rc1, 16.13.0 rc1, 16.14.0 rc1, 16.15.0 rc1, 16.16.0 rc1, 16.17.0 rc1, 16.18.0 rc1, 16.19.0, 16.19.0 rc1, 17.0.0, 17.0.0 rc1, 17.0.1, 17.1.0 rc1, 17.2.0 rc1, 17.3.0 rc1, 17.4.0 rc1, 17.5.0 rc1, 17.6.0 rc1, 17.7.0 rc1, 17.8.0 rc1, 17.9.0, 17.9.0 rc1, 17.9.1, 17.9.2, 17.9.3, 18.0.0 rc1, 18.1.0 rc1, 18.2.0 rc1, 18.3.0, 18.3.0 rc1, 18.4.0, 18.4.0 rc1, 18.5.0 AND 18.5.0 rc1.

While the flaws can be exploited by unauthenticated remote threat actors, so far there have been no exploit attempts in real scenarios or any malware variant associated with the attack.

The flaws have already been addressed, so users of affected deployments are encouraged to update as soon as possible. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post 2 vulnerabilities in Asterisk servers allow hackers to listen to your business phone calls appeared first on Information Security Newspaper | Hacking News.

You May Also Like

New Log4j attack allows hacking devices that are not exposed to internet via localhost

In recent days it was revealed the detection of a new attack…

Critical vulnerabilities in VMware Carbon Black App Control Server. Patch now

Cybersecurity specialists report the discovery of at least two severe flaws in…

Exploit code for XSS vulnerability CVE-2020-3580 in Cisco devices published online

A group of hackers is scanning the Internet to find Cisco Adaptive…