Asterisk: NSFW++
Not surprisingly, Digium has yet to resolve these first two 0days that were released through this site. There is only one reference to the issues on the Digum mailing list.
Please note Tilghman’s response…
“This has already been addressed”
I’m unsure if they are either ignorant to the issue ( a.k.a. Tilghman is ignorant to his own job ) or they are trying to sweep the dirt ( 0day ) under the rug. Either way, these 0days are not resolved!!
Go test it for yourself. None the less, I’ll prove it without technical terms.
How could Digium fix a bug in an advisory from July 18th when it was publicly released on September 26th? That is two months in the 0day direction.
As well, I have decided to release another outstanding 0day to see if Tilghman can count in larger absolute date values. It does the same thing. It turns an Asterisk PBX’s into the most impressive paper weight running Linux…
The NIST NVD rates these types of Asterisk vulnerabilities as a CVSS of 7.8 out of 10!!
If anyone is aware that a Digium employee/affiliate is going to be in New York City for any reason, please inform me through this site. I’m looking forward to giving them a piece of my mind in person.
For the time being, the best thing any concerned asterisk professional could do is to email and/or call Digium asking them why they are refusing to fix these vulnerabilities.
I’ve put together a presentation detailing this awful debacle. I’ve submitted it to a few organizations for upcoming events, all of whom have had positive feedback.
Asterisk == NSFW