Asterisk Flaw Exposes VoIP Calls to Eavesdropping

Security researchers have identified a critical vulnerability in Asterisk, one of the most popular software stacks for implementing private telephone switching systems, also known as private branch exchanges (PBXes). The flaw could allow remote attackers to intercept voice over IP (VoIP) calls that use the Real-time Transport Protocol (RTP).

The vulnerability was found by researchers from Berlin-based penetration testing form Enable Security and stems from how Asterisk routes RTP streams that contain audio and video data between parties when network address translation (NAT) is enabled. According to the researchers, when Asterisk is configured with the “nat=yes” and “strictrtp=yes” options—the latter is enabled by default—it will learn how to route RTP packets by inspecting the source IP address and port number of incoming RTP traffic.

Since the source IP of such traffic can be spoofed and there is no authentication for the streams, attackers can send spoofed requests to trick Asterisk-based RTP proxies into responding with the streams of ongoing calls between other parties.

“Abuse of this attack allows malicious users to inject and receive RTP streams of ongoing calls without needing to be positioned as man-in-the-middle,” the researchers said in a security advisory. “As a result, in the case of an RTP stream containing audio media, attackers can inject their own audio and receive audio being proxied through the Asterisk server.”

Since RTP streams are not encrypted, they are technically vulnerable to eavesdropping already, but attackers need to be in a position on the network path between a caller and a callee in order to intercept the stream. This is known as a man-in-the-middle (MitM) attack.

However, with this new vulnerability, which has been dubbed RTP Bleed, the MitM position is no longer necessary and remote attackers can obtain RTP streams by tricking vulnerable Asterisk proxies into relaying those streams to them, making the attack much more easy to pull off.

In addition to eavesdropping and call manipulation through media injection, another consequence of this vulnerability can be denial-of-service, the researchers said in a website dedicated to the issue.

The problem itself is not entirely new and the Asterisk developers have attempted to fix it before, in 2011. However, a change made to the server two years later, in 2013, reintroduced the weakness, making the attack possible again.

The Asterisk developers implemented a new fix in versions 11.25.2, 13.17.1, 14.6.1 of the Asterisk Open Source release and in versions 11.6-cert17 and 13.13-cert5 of Certified Asterisk, but the Enable Security researchers claim that the patch still has a few issues. For example, the fix limits the window of attack to the first few milliseconds, but doesn’t completely prevent exploitation.

The researchers recommend protecting the streams with the Secure Real-time Transport Protocol (SRTP), which uses both encryption and authentication. Misconfigured proxies might still leak SRTP streams, but in that case attackers would only be able to launch a denial-of-service attack, not compromise the integrity and confidentiality of the calls.

Poorly secured MongoDB databases are being wiped again

Attackers are at work again wiping data from poorly secured MongoDB databases and leaving ransom notes behind. According to Victor Gevers, the founder of the GDI Foundation, a non-profit organization that identifies vulnerable systems on the internet and notifies their owners, attackers have hacked into 25,000 MongoDB databases over the past few days.

“A new attacker made a record amount [22,449] of victims,” Gevers said Saturday on Twitter.

Cru3lty is leaving behind a ransom note inside the wiped databases, claiming that the data was backed up to a remote server and will be returned in exchange for 0.2 bitcoins, or around US$875.

This new wave of attacks follows similar attacks in late December that wiped data from tens of thousands of MongoDB databases that had been left exposed to the internet without a password. The attackers later also targeted poorly secured Elasticsearch, Hadoop and CouchDB deployments.

Together with researchers, Gevers is tracking the MongoDB compromises in a public spreadsheet on Google Docs. According to the file, two additional groups of attackers are responsible for 3,516 and 839 recent MongoDB compromises and are asking for ransoms of 0.05 BTC and 0.15 BTC respectively.

Victims should refrain from paying the ransom, as there is no evidence that the attackers actually copied the data before deleting it.

Thousands of military contractors have their personal details leaked

Security researchers have found more than 9,000 resumés containing the personal details of former military personnel and other individuals who applied to work for a private security company. The files were found in a repository on Amazon’s Simple Storage Service (S3) that had been left publicly accessible by its owner.

According to researchers from cybersecurity firm UpGuard who found and analyzed the files, hundreds of applicants claimed to have top secret U.S. government security clearances and many of them were military veterans.

The resumés were sent between 2008 and 2017 to TigerSwan, a private security contractor based in Apex, North Carolina, and included names, home addresses, phone numbers, email addresses, driver’s license numbers and other sensitive information. TigerSwan blames a third-party recruiting vendor called TalentPen, with which it had a contract until February, for leaving the files exposed.

“It is our understanding that Amazon Web Services informed TalentPen of this issue sometime in August, resulting in TalentPen removing the resumé files on August 24th,” TigerSwan said in a statement published Saturday on its website. “TalentPen never notified us of their negligence with the resumé files nor that they only recently removed the files.”

“This cloud leak illustrates once again the urgent responsibility of enterprises and the vendors that work for them to ensure the security of sensitive data against exposure via misconfiguration, an unforced error which requires no malicious actors or hacking for sensitive information to be exposed to the wider internet,” the UpGuard researchers said in a blog post.

The exposure of sensitive data through misconfigured Amazon S3 “buckets” and other types of databases is unfortunately common. In July, UpGuard found an exposed Amazon S3 bucket with the names and contact information of 2.2 million Dow Jones & Co. customers, including Wall Street Journal subscribers. That same month the company also found the names, addresses and personal identification numbers (PINs) of millions of Verizon customers in a separate S3 bucket owned by a data analytics vendor called NICE Systems.

“This overt example of negligence and breach of regulatory requirements, clearly demonstrates that cybersecurity should start with a comprehensive inventory of digital assets,” Ilia Kolochenko, the CEO of web security company High-Tech Bridge, said via email regarding the latest resumé breach. “In the era of cloud, outsourcing and IoT, it is very challenging to maintain a comprehensive, accurate and up-to-date inventory of your digital assets, including software, hardware, users, data and licenses. However, it’s the crucial first step, without which all other cybersecurity efforts can be undermined and nullified.”

Featured eBook
The State of Security RSA Special Report

The State of Security RSA Special Report

The big trends shaping cybersecurity today. Security teams face enormous challenges. Not only from attackers who are always looking for new ways to get to their applications and data, but also the constant evolution of the very technologies security professionals must defend. This complimentary download is offered by Security Boulevard. Download Now ... Read More
Security Boulevard

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 185 posts and counting.See all posts by lucian-constantin