Several vulnerabilities exist in various Asterisk products that can lead to Denial of Service conditions, the bypassing of security restrictions and may allow the compromise of an affected system.
Two of the vulnerabilities are a result of errors that can arise when RTP codecs are processed. If more than 32 RTP payloads are sent a stack-based buffer overflow may occur. In the other case a specially crafted SIP packet can be used to write 0 into certain memory locations. The final vulnerability is a result of problems that exist in SIP channel driver.
Make sure that you have updated to the releases below, as is applicable to your site:
Update to version 1.2.27.
Update to version 220.127.116.11.
Asterisk Business Edition:
Update to version B.2.5.1 and C.1.6.2.
s800i (Asterisk Appliance):
Update to version 18.104.22.168.
Asterisk Appliance Developer Kit:
Fixed in the SVN repository. Please see the vendor’s advisories for details.