FBI issues VoIP security warning on Asterisk -- but which version?

On Friday, the FBI issued a warning about an Asterisk vulnerability being exploited for vishing purposes by criminals. No details were provided, however, leaving businesses to guess and/or rush to upgrade to the latest version.

Posted on December 5 by the Internet Crime Complaint Center (IC3), the Intelligence Note says the FBI has information concerning a new technique to conduct vishing attacks in Asterisk. Without describing the vulnerability or which versions of Asterisk could be at risk, the note warns that it can be exploited by cyber criminals (not to be confused with bank robbers and other ordinary criminals) to use an Asterisk system with an autodialer to make thousands of vishing phone calls within an hour.

The warning implores businesses using Asterisk to upgrade their software to a version that has the vulnerability fixed. We would presume that would mean the latest version, but without details, the G-men really aren't helping.

US-CERT, the national repository of exploits, most recently lists a report for the Asterisk IAX2 channel driver on April 23, 2008, with an update on November 15. But the vulnerability is cited to have caused a denial-of-service attack - not large scale mass-dialing attacks.

Digium thinks the FBI might be referring to a vulnerability found in Asterisk 1.4.18 and other branches reported by MuSecurity on March 18. If properly exploited, the vulnerability would allow an attacker to take over the account of one individual and make thousands of calls in an hour.  A Digium spokesperson notes that the flaw affects older versions of Asterisk but not the last version, 1.6.

We hope in the future the FBI coordinates a bit better with US-CERT and/or affected vendors.

For more:
- FBI issues vague warning about hacked VoIP systems. Article.

Related articles
Digium CTO parses unblocked Caller ID hack - FierceVoIP
Last Hope Launches Security Season - FierceVoIP