Digium, the developers of Asterix, has released a new version of the telephone system software, which remedies two vulnerabilities in the voice mail system that could lead to a denial-of-service attack or a remote compromise.
The vulnerability is caused due to a boundary error within the IMAP-specific code for processing voice mail messages. This can be exploited to cause a buffer overflow via a specially crafted voice mail message sent as e-mail containing an overly long (more than 1,024 characters) combination of Content-Type or Content-Description headers.
A successful exploitation requires the user to listen to the voice mail message via a phone. Users retrieving their voice mail via e-mail are not affected. The above vulnerability is reported in 1.4.x versions and is fixed in the 1.4.13 update.
You can read more from the original Digium Security Advisory.
Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.