Thursday, February 9, 2012
Convergence
Error 404--Not Found |
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:10.4.5 404 Not FoundThe server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent. If the server does not wish to make this information available to the client, the status code 403 (Forbidden) can be used instead. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address. |
Asterisk IP PBX addresses vulnerabilities
Related links
Convergence / VoIP Notes archive.
Security forum
Discuss Convergence / VoIP Notes and other Convergence topics.
VoIP PBX vendor Digium is responding to vulnerability warnings about its PBX code by urging users to follow sound security procedures and upgrade to the latest software version.
The two vulnerabilities found by ISS could make the PBX servers based on open source Asterisk code vulnerable to denial of service attacks. Digium, whose products are based on Asterisk, says it will post a warning to its newsgroup today as well as post a warning on its asterisk.org Web site.
One vulnerability ISS points to lets an attacker flood the phone service with call requests, thereby preventing the phone service from handling new telephone calls.
According to Kevin Fleming, senior software engineer for Digium, the problem lies in the number of calls a single user can open at once. The Asterisk IAX 2 software gives users one minute to enter their authentication code when they try to place a call. If no authentication is entered, the PBX drops the request
Default settings let each caller open as many requests as they want to, so theoretically, a user could place the first call, then generate as many other calls as possible in the next minute. If that approaches the 32,000-call limit of the server, that one user could cause a denial of service.
The remedy that was issued in version 1.2.10 of the software last Friday adds a configuration setting to limit the number of call requests a single user can he open at any one time. The recommended number for an individual is two or three and for another PBX is 20-30. Version 1.4 of the software, due to go to beta soon, will set a low default limit, he says.
The other vulnerability is described by ISS as allowing attackers to use legitimate accounts without passwords on an Asterisk PBX network to flood another network with large amounts of traffic.
Fleming says Asterisk regards this as an educational issue that it will not address with a code change. "Why do you have unauthenticated users if you're concerned about DoS attacks?" he says. "We're going to tell people that if your server is available to users without authenticated accounts, you're exposing yourself to DoS attacks."
Back to Convergence / VoIP Notes
Post a comment
|
Does Verizon's Voyager stack up to the iPhone? |
5 IT skills that won't boost your salary 
[1,407]
Women 4 times more likely than men to cough up personal info [589]
Japan's 10 funniest tech-related commercials [Videos] [407]
Throwing away a promo CD is "unauthorized distribution"? [1,265]
Adults too quick to dismiss educational video games [682]
Attack of the iPhone clones [Slideshow] [578]
10 things IT needs to know about AJAX [1,258]
This Year's 25 Geekiest 25th Anniversaries [Slideshow] [409]