Digium, the developers of Asterix, have released a new version of the telephone system software which remedies two vulnerabilities in the voicemail system which could lead to a DoS (Denial of Service) or a remote compromise.
Digium, the developers of Asterix, has released a new version of the telephone system software, which remedies two vulnerabilities in the voice mail system that could lead to a denial-of-service attack or a remote compromise.
The vulnerability is caused due to a boundary error within the IMAP-specific code for processing voice mail messages. This can be exploited to cause a buffer overflow via a specially crafted voice mail message sent as e-mail containing an overly long (more than 1,024 characters) combination of Content-Type or Content-Description headers.
A successful exploitation requires the user to listen to the voice mail message via a phone. Users retrieving their voice mail via e-mail are not affected. The above vulnerability is reported in 1.4.x versions and is fixed in the 1.4.13 update.
You can read more from the original Digium Security Advisory.