[asterisk-bugs] [JIRA] (ASTERISK-27818) Username bruteforce is possible when using ACL with PJSIP
Asterisk Team (JIRA)
noreply at issues.asterisk.org
Tue Jul 3 11:14:58 CDT 2018
[ https://issues.asterisk.org/jira/browse/ASTERISK-27818?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Asterisk Team updated ASTERISK-27818:
-------------------------------------
Target Release Version/s: 15.5.0
> Username bruteforce is possible when using ACL with PJSIP
> ---------------------------------------------------------
>
> Key: ASTERISK-27818
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-27818
> Project: Asterisk
> Issue Type: Security
> Components: Resources/res_pjsip
> Affects Versions: 13.19.2
> Reporter: John
> Assignee: Richard Mudgett
> Severity: Blocker
> Labels: patch, pjsip, security
> Target Release: 13.21.1, 14.7.7, 15.4.1, 13.22.0, 15.5.0
>
> Attachments: AST-2018-008.pdf, jira_asterisk_27818_v13.patch
>
>
> When ACL rules block registration they respond with a 403 Forbidden when the username matches and with 401 Unauthorized when the username does not match.
> This essentially allows someone to constantly test usernames and see which ones are valid and which ones are not.
> I've only encountered this problem on my setup working with Realtime. Not sure what else is effected.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list