[asterisk-bugs] [JIRA] (ASTERISK-27818) Username bruteforce is possible when using ACL with PJSIP
Kevin Harwell (JIRA)
noreply at issues.asterisk.org
Mon Jun 11 16:56:54 CDT 2018
[ https://issues.asterisk.org/jira/browse/ASTERISK-27818?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kevin Harwell updated ASTERISK-27818:
-------------------------------------
Security: (was: Reporter, Bug Marshals, and Digium)
> Username bruteforce is possible when using ACL with PJSIP
> ---------------------------------------------------------
>
> Key: ASTERISK-27818
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-27818
> Project: Asterisk
> Issue Type: Security
> Components: Resources/res_pjsip
> Affects Versions: 13.19.2
> Reporter: John
> Assignee: Richard Mudgett
> Severity: Blocker
> Labels: patch, pjsip, security
> Target Release: 13.21.1, 14.7.7, 15.4.1
>
> Attachments: AST-2018-008.pdf, jira_asterisk_27818_v13.patch
>
>
> When ACL rules block registration they respond with a 403 Forbidden when the username matches and with 401 Unauthorized when the username does not match.
> This essentially allows someone to constantly test usernames and see which ones are valid and which ones are not.
> I've only encountered this problem on my setup working with Realtime. Not sure what else is effected.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list