[VOIPSEC] Recent examples of non-telephony systems causing telephony systems to crash or be exploited?

[Dan York]

VOIPSEC readers,

I need some help. Do any of you have recent examples of where a security
exploit in an application connected to a telephony server caused the
telephony system to crash?

As I spoke in a webinar this week about VoIP Security best practices
wearing my VOIPSA hat, I realized that two of the examples I use are
getting a bit dated.  I've been using two examples:

1. The AsteriDex exploit that allowed remote code execution:
        http://securityvulns.com/Rdocument424.html

2. The exploit where malformed MIME bodies could cause an Asterisk box
using IMAP for voicemail storage to crash:
        http://downloads.asterisk.org/pub/security/AST-2007-021.html

My issue is that both are from back in 2007. It's also not ideal that
both are with Asterisk (although in this case this week I was doing a
Asterisk security webinar, so it worked fine).

The point I'm trying to make in the part of the presentation is that
with today's VoIP or "Unified Communications" systems, you really have
an "ecosystem" of connected applications, particularly as we do more
with APIs, web services, etc.  As a result, the security "surface area"
you have to worry about is much larger.  You have to be concerned about
the security of all the connected applications in addition to the
telephony/call server.

Have any of you seen more recent security alerts/advisories that mention
a case where a compromise of a non-telephony application leads to some
action on or compromise of a telephony system?

Thanks,
Dan

-- 
Dan York  dyork at lodestar2.com
http://www.danyork.com/   skype:danyork
Phone: +1-802-735-1624

Disruptive Telephony - http://www.disruptivetelephony.com
Disruptive Conversations - http://www.disruptiveconversations.com/
Blue Box: The VoIP Security Podcast - http://www.blueboxpodcast.com/
Voice of VOIPSA - http://www.voipsa.org/blog
Voxeo weblogs - http://blogs.voxeo.com/
Twitter - http://twitter.com/danyork