[asterisk-security] AST-2009-008: SIP responses expose valid usernames

Asterisk Security Team security at asterisk.org
Wed Nov 4 14:12:20 CST 2009


               Asterisk Project Security Advisory - AST-2009-008

   +------------------------------------------------------------------------+
   |       Product        | Asterisk                                        |
   |----------------------+-------------------------------------------------|
   |       Summary        | SIP responses expose valid usernames            |
   |----------------------+-------------------------------------------------|
   |  Nature of Advisory  | Information leak                                |
   |----------------------+-------------------------------------------------|
   |    Susceptibility    | Remote Unauthenticated Sessions                 |
   |----------------------+-------------------------------------------------|
   |       Severity       | Minor                                           |
   |----------------------+-------------------------------------------------|
   |    Exploits Known    | No                                              |
   |----------------------+-------------------------------------------------|
   |     Reported On      | October 26, 2009                                |
   |----------------------+-------------------------------------------------|
   |     Reported By      | Patrik Karlsson <patrik AT cqure DOT net>       |
   |----------------------+-------------------------------------------------|
   |      Posted On       | November 4, 2009                                |
   |----------------------+-------------------------------------------------|
   |   Last Updated On    | November 4, 2009                                |
   |----------------------+-------------------------------------------------|
   |   Advisory Contact   | Joshua Colp <jcolp AT digium DOT com>           |
   |----------------------+-------------------------------------------------|
   |       CVE Name       |                                                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | It is possible to determine if a peer with a specific    |
   |             | name is configured in Asterisk by sending a specially    |
   |             | crafted REGISTER message twice. The username that is to  |
   |             | be checked is put in the user portion of the URI in the  |
   |             | To header. A bogus non-matching value is put into the    |
   |             | username portion of the Digest in the Authorization      |
   |             | header. If the peer does exist the second REGISTER will  |
   |             | receive a response of "403 Authentication user name does |
   |             | not match account name". If the peer does not exist the  |
   |             | response will be "404 Not Found" if alwaysauthreject is  |
   |             | disabled and "401 Unauthorized" if alwaysauthreject is   |
   |             | enabled.                                                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | Upgrade to one of the versions below, or apply one of the |
   |            | patches specified in the Patches section.                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           | Release |                                 |
   |                            | Series  |                                 |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.2.x  | All versions prior to 1.2.35    |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.4.x  | All versions prior to 1.4.26.3  |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    | 1.6.0.x | All versions prior to 1.6.0.17  |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    | 1.6.1.x | All versions prior to 1.6.1.9   |
   |----------------------------+---------+---------------------------------|
   |      Asterisk Addons       |  1.2.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |      Asterisk Addons       |  1.4.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |      Asterisk Addons       |  1.6.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  A.x.x  | All versions                    |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  B.x.x  | All versions prior to B.2.5.12  |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  C.x.x  | All versions prior to C.2.4.5   |
   |                            |         | and C.3.2.2                     |
   |----------------------------+---------+---------------------------------|
   |        AsteriskNOW         |   1.5   | All versions                    |
   |----------------------------+---------+---------------------------------|
   | s800i (Asterisk Appliance) |  1.2.x  | All versions prior to 1.3.0.5   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                   Product                   |         Release          |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |          1.2.35          |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |         1.4.26.3         |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |         1.6.0.17         |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |         1.6.1.9          |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         B.2.5.12         |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         C.2.4.5          |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         C.3.2.2          |
   |---------------------------------------------+--------------------------|
   |         S800i (Asterisk Appliance)          |         1.3.0.5          |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                                Patches                                 |
   |------------------------------------------------------------------------|
   |                            SVN URL                            |Revision|
   |---------------------------------------------------------------+--------|
   |http://downloads.digium.com/pub/asa/AST-2009-008-1.2.diff.txt  |1.2     |
   |---------------------------------------------------------------+--------|
   |http://downloads.digium.com/pub/asa/AST-2009-008-1.4.diff.txt  |1.4     |
   |---------------------------------------------------------------+--------|
   |http://downloads.digium.com/pub/asa/AST-2009-008-1.6.0.diff.txt|1.6.0   |
   |---------------------------------------------------------------+--------|
   |http://downloads.digium.com/pub/asa/AST-2009-008-1.6.1.diff.txt|1.6.1   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links         |                                                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2009-008.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2009-008.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |         Date          |      Editor       |       Revisions Made       |
   |-----------------------+-------------------+----------------------------|
   | November 4, 2009      | Joshua Colp       | Initial release            |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2009-008
              Copyright (c) 2009 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.




More information about the asterisk-security mailing list