Asterisk Project Security Advisory - AST-2007-013




IAX2 users can cause unauthorized data disclosure

Nature of Advisory

Unauthorized information disclosure


Remote authenticated sessions



Exploits Known


Reported On

April 27, 2007

Reported By

Tim Panton, Mexuar, <>

Birgit Arkesteijn, Westhawk, <>

Posted On

May 4, 2007

Last Updated On

August 21, 2007

Advisory Contact

CVE Name



> From: Tim Panton <>

> Date: 27 April 2007 08:02:36 BDT

> To: "Kevin P. Fleming" <>

> Subject: Possible IAX2 vulnerability (Minor)


> We've stumbled on a bug in the way Asterisk's IAX2 handles text

> frames.

> I'm emailing you because it is a borderline security vulnerability,

> and my

> friends in the security world tell me that I should notify the

> vendor privately

> first. If you feel it isn't a security issue, let me know and I'll

> put it in mantis.


> chan_iax2 assumes that the content of a text frame is a null

> terminated

> string (C style), and when time comes to forward the string it uses

> strlen

> to determine the message length.


> If you send a frame without a 0 byte in it, Asterisk forwards a

> frame that

> includes the sent data and some extra (presumably heap) data.


> If an attacker were lucky, the extra data could contain something

> interesting.

> Or conceivably it could cause a segmentation violation.


Asterisk code has been modified to enforce null-termination of incoming text frames received by the IAX2 channel driver (chan_iax2). When text frames are received without null-termination, this may result in the last byte of data in the frame being lost, if the IAX2 reception process does not have space in its receive buffer to add a null character.

As this vulnerability is of 'low' severity, it does not justify new releases of Asterisk solely for mitigating its impact. The fix for this vulnerability has been committed to the Asterisk Subversion source code repositories and is available to all users who wish to upgrade to a prerelease checkout of the respective development branch for their release series of Asterisk. All other users can upgrade when the next regularly scheduled release of their product is produced.

Affected Versions


Release Series

Asterisk Open Source


has not been evaluated as this release series is no longer maintained

Asterisk Open Source


all releases prior to 1.2.19

Asterisk Open Source


all releases prior to 1.4.5

Asterisk Business Edition


all releases

Asterisk Business Edition


all releases prior to B.2.1



all releases prior to and including Beta 5

Asterisk Appliance Developer Kit


all releases prior to 0.4.1

Corrected In



Asterisk Open Source

1.2.19 and 1.4.5 will be available from when released

Asterisk Business Edition

B.2.1, will be available from the Asterisk Business Edition user portal on or via Digium Technical Support when released


Beta 6, when available from, Beta 5 users can use 'System Update' in the appliance control panel to update their version of AsteriskNOW when Asterisk 1.4.4 has been released

Asterisk Appliance Developer Kit

0.4.1, will be available from when released


Asterisk Project Security Advisories are posted at

This document may be superseded by later versions; if so, the latest version will be posted at

Revision History



Revisions Made

May 4, 2007

initial release

May 4, 2007

proper 'corrected in' release number for Asterisk 1.4

August 21, 2007

Changed name prefix from ASA to AST

Asterisk Project Security Advisory - AST-2007-013
Copyright © 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.