[asterisk-bugs] [JIRA] (ASTERISK-27818) Username bruteforce is possible when using ACL with PJSIP

Asterisk Team (JIRA) noreply at issues.asterisk.org
Tue Jul 3 11:14:58 CDT 2018


     [ https://issues.asterisk.org/jira/browse/ASTERISK-27818?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Asterisk Team updated ASTERISK-27818:
-------------------------------------

    Target Release Version/s: 15.5.0

> Username bruteforce is possible when using ACL with PJSIP
> ---------------------------------------------------------
>
>                 Key: ASTERISK-27818
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-27818
>             Project: Asterisk
>          Issue Type: Security
>          Components: Resources/res_pjsip
>    Affects Versions: 13.19.2
>            Reporter: John
>            Assignee: Richard Mudgett
>            Severity: Blocker
>              Labels: patch, pjsip, security
>      Target Release: 13.21.1, 14.7.7, 15.4.1, 13.22.0, 15.5.0
>
>         Attachments: AST-2018-008.pdf, jira_asterisk_27818_v13.patch
>
>
> When ACL rules block registration they respond with a 403 Forbidden when the username matches and with 401 Unauthorized when the username does not match.
> This essentially allows someone to constantly test usernames and see which ones are valid and which ones are not.
> I've only encountered this problem on my setup working with Realtime. Not sure what else is effected.



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list