The Digium security team issued two security advisories this week for Asterisk:
- AST-2011-003: Resource exhaustion in Asterisk Manager Interface
- AST-2011-004: Remote crash vulnerability in TCP/TLS server
The second one, AST-2011-004, is the far more concerning because it indicates that a remote attacker could connect to an Asterisk system and cause it to crash.
The solution, in both cases, is to upgrade to the latest Asterisk releases.
UPDATE: 3/18/11 – Olle Johansson pointed out on Twitter:
Either upgrade or do not use SIP/TCP. Installations only using SIP/udp is not affected and do not need to upgrade.
Thanks for the clarification, Olle.