The flaws are in the ubiquitous open-source PJSIP multimedia communication library, used by the Asterisk PBX toolkit that’s found in a massive number of VoIP implementations.
One thing this open-source, flawed library shares with the Apache Log4J logging library fiasco that started in December: It’s ubiquitous.
The library, PJSIP – an open-source multimedia communication library – is also used by Asterisk. Asterisk is an enterprise-class, open-source PBX (private branch exchange) toolkit that’s used in voice-over-IP (VoIP) services in a massive number of implementations.
According to the Asterisk site, the software is downloaded 2M times annually and runs on 1M servers in 170 countries. Asterisk powers IP PBX systems, VoIP gateways and conference servers, and it’s used by SMBs, enterprises, call centers, carriers and governments.
On Monday, devops platform provider JFrog Security disclosed five memory-corruption vulnerabilities in PJSIP, which supplies an API that can be used by IP telephony applications such as voice-over-IP (VoIP) phones and conference apps.
An attacker who successfully triggers the vulnerabilities can flip the switch on