Fortify Software says buffer overflows now hitting PBXs

IP-PBX hackers are confining their activities to crashing systems or causing a denial of service attack for mischievous purposes

(01.04.08) - Fortify Software, the application vulnerability specialist, says that companies may soon find their computerised telephone switchboard - known as PBXs - hit by a a new wave of security flaws.The news follows on from reports from the MU Security Research Team about security flaws in the Asterix range of IP-PBX software applications, which a growing number of companies are using to computerise their switchboards and take advantage of low cost Internet telephony calls.

"Recent reports suggest that as many as 50 per cent of major companies are using Internet telephony services as a way of cutting their telecommunications costs, but our analysis is that they also need to review their IP telephony security arrangements as well," said Rob Rachwald, Fortify's director of product marketing.

"The buffer overload problem in the RTP payload handling code when dealing with a malformed INVITE or SIM packet with SDP, is, we predict, one of several buffer-based security problems you're going to see with company IP telephony systems in the near future," he said.

"Most companies have installed multi-layered security technology on their computer network, but IP telephony services almost always escape the scrutiny of the IT security systems in place to protect a company's computers and network technology," he added.

At the moment, says Rachwald, IP-PBX hackers are confining their activities to crashing systems or causing a denial of service attack for mischievous purposes.

"That situation will change, we predict, as hackers from the criminal side of things start to realise the revenue potential from hacking into company PBXs and then hack for monetary gain from that route," he said.

For more on the Asterix VOIP security flaws: http://tinyurl.com/yrpdlo

(Fortify: ra)