[asterisk-bugs] [Asterisk 0013693]: [patch] Snargle bargle zous (with all these marbles in my mouth)

Asterisk Bug Tracker noreply at bugs.digium.com
Tue Oct 14 16:09:41 CDT 2008 

The following issue has been SUBMITTED. 
====================================================================== 
http://bugs.digium.com/view.php?id=13693 
====================================================================== 
Reported By:                Corydon76
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   13693
Category:                   Channels/chan_iax2
Reproducibility:            always
Severity:                   minor
Priority:                   normal
Status:                     new
Asterisk Version:           SVN 
SVN Branch (only for SVN checkouts, not tarball releases):  1.4  
SVN Revision (number only!): 148736 
Disclaimer on File?:        N/A 
Request Review:              
====================================================================== 
Date Submitted:             2008-10-14 16:09 CDT
Last Modified:              2008-10-14 16:09 CDT
====================================================================== 
Summary:                    [patch] Snargle bargle zous (with all these marbles
in my mouth)
Description: 
Possible security issue:

Asterisk returns a different answer when a user does not exist as compared
to a user who has not yet successfully authenticated (with the REGAUTH
command).  This amounts to information leakage, allowing an attacker to
scan an Asterisk machine for a list of users.  Once a list of users has
been obtained, the attacker can proceed to run a password attack.

If, instead, we provide a similar response to an invalid user, it makes
the attacker's job (finding a valid user/password combination) much more
difficult.
====================================================================== 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2008-10-14 16:09 Corydon76      Asterisk Version          => SVN             
2008-10-14 16:09 Corydon76      SVN Branch (only for SVN checkouts, not tarball
releases) =>  1.4            
2008-10-14 16:09 Corydon76      SVN Revision (number only!) => 148736          
2008-10-14 16:09 Corydon76      Disclaimer on File?       => N/A             
======================================================================

More information about the asterisk-bugs mailing list