According to Computerworld, a vulnerability in the Asterisk PBX server that enables an attacker to gain complete control of a PBX system has been discovered by an Australian and New Zealand security outfit
This was also highlighted by Ward Mundy of Nerd Vittle who said that the exploit allows an attacker to spoof caller-IDs, sniff voice calls on the network and take complete control of the system. This vulnerability has been identified in all versions of Asterisk included in the Trixbox and Asterisk@Home releases except the new Asterisk 1.4 (currently still under development).
An attacker who can connect to the Asterisk server SCCP “Skinny” port (by default 2000/tcp) can attack the vulnerable function prior to registering as a configured Skinny phone, permitting pre-authentication remote compromise and remote code execution as the root user.
To overcome this, simply block port 2000 tcp traffic through your firewall. Otherwise, If your server is in the DMZ or connected to the Internet directly, then you should disable the chan_skinny module. To do this, edit /etc/asterisk/modules.conf and add the following line in the [modules] context.
noload => chan_skinny.so
Then restart Asterisk.
amportal restart
Note: This module is primarily used to talk to Cisco phones in their native language, i.e. non-SIP.