CVE-2011-1147 in Asterisk
Summary
by MITRE
Multiple stack-based and heap-based buffer overflows in the (1) decode_open_type and (2) udptl_rx_packet functions in main/udptl.c in Asterisk Open Source 1.4.x before 1.4.39.2, 1.6.1.x before 1.6.1.22, 1.6.2.x before 1.6.2.16.2, and 1.8 before 1.8.2.4; Business Edition C.x.x before C.3.6.3; AsteriskNOW 1.5; and s800i (Asterisk Appliance), when T.38 support is enabled, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted UDPTL packet.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/15/2025
The vulnerability described in CVE-2011-1147 represents a critical security flaw affecting multiple versions of the Asterisk open source telephony platform and its commercial variants. This vulnerability specifically targets the UDPTL protocol implementation within Asterisk, which is used for T.38 fax relay functionality in VoIP environments. The affected components include the decode_open_type and udptl_rx_packet functions in the main/udptl.c file, making this a fundamental issue within the core telephony processing modules of these systems.
The technical implementation of this vulnerability manifests as both stack-based and heap-based buffer overflows, which occur when processing malformed UDPTL packets that contain crafted payloads. These buffer overflows are triggered when T.38 support is enabled within the Asterisk configuration, making them particularly dangerous in environments where fax relay capabilities are utilized. The flaw exists because the functions fail to properly validate input lengths and buffer boundaries when parsing incoming UDPTL packets, allowing attackers to write beyond allocated memory regions and potentially overwrite critical program state information.
From an operational impact perspective, this vulnerability creates significant risks for organizations relying on Asterisk systems for voice and fax services. Remote attackers can exploit these flaws to cause denial of service conditions by crashing the Asterisk daemon, effectively disrupting all telephony services. More critically, the buffer overflow conditions create opportunities for arbitrary code execution, potentially allowing attackers to gain control of the affected system. This represents a severe compromise risk for telephony infrastructure, especially in environments where Asterisk serves as a core communications platform for business operations.
The vulnerability aligns with CWE-121 stack-based buffer overflow and CWE-122 heap-based buffer overflow categories, both of which are classified as high-risk security weaknesses in the Common Weakness Enumeration catalog. From an ATT&CK framework perspective, this vulnerability maps to techniques involving remote code execution and privilege escalation, with potential for lateral movement within networks where telephony systems are integrated. The attack surface is particularly concerning given that T.38 support is commonly enabled in enterprise VoIP deployments, and the vulnerability can be exploited without authentication, making it an attractive target for threat actors seeking to compromise telephony infrastructure.
Organizations should immediately implement mitigations including applying the vendor-provided security patches for all affected versions, disabling T.38 support where it is not required, and implementing network segmentation to limit exposure. Additionally, monitoring for unusual packet patterns and implementing intrusion detection systems can help detect exploitation attempts. The recommended approach involves comprehensive patch management across all Asterisk installations, including both open source versions and commercial variants, with particular attention to the specific version ranges mentioned in the vulnerability description.