[asterisk-users] AST-2011-011: Possible enumeration of SIP users due to differing authentication responses

Asterisk Security Team security at asterisk.org
Tue Jun 28 15:31:12 CDT 2011


               Asterisk Project Security Advisory - AST-2011-011

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | Possible enumeration of SIP users due to          |
   |                    | differing authentication responses                |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Unauthorized data disclosure                      |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote unauthenticated sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Moderate                                          |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | June 11, 2011                                     |
   |--------------------+---------------------------------------------------|
   |    Reported By     |                                                   |
   |--------------------+---------------------------------------------------|
   |     Posted On      | June 28, 2011                                     |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | June 28, 2011                                     |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Terry Wilson <twilson at digium.com>                 |
   |--------------------+---------------------------------------------------|
   |      CVE Name      | CVE-2011-2536                                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | Asterisk may respond differently to SIP requests from an |
   |             | invalid SIP user than it does to a user configured on    |
   |             | the system, even when the alwaysauthreject option is set |
   |             | in the configuration. This can leak information about    |
   |             | what SIP users are valid on the Asterisk system.         |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | Respond to SIP requests from invalid and valid SIP users  |
   |            | in the same way. Asterisk 1.4 and 1.6.2 do not respond    |
   |            | identically by default due to backward-compatibility      |
   |            | reasons, and must have alwaysauthreject=yes set in        |
   |            | sip.conf. Asterisk 1.8 defaults to alwaysauthreject=yes.  |
   |            |                                                           |
   |            | IT IS ABSOLUTELY IMPERATIVE that users of Asterisk 1.4    |
   |            | and 1.6.2 set alwaysauthreject=yes in the general section |
   |            | of sip.conf.                                              |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |             Product              | Release Series |                    |
   |----------------------------------+----------------+--------------------|
   |       Asterisk Open Source       |     1.4.x      | All versions       |
   |----------------------------------+----------------+--------------------|
   |       Asterisk Open Source       |    1.6.2.x     | All versions       |
   |----------------------------------+----------------+--------------------|
   |       Asterisk Open Source       |     1.8.x      | All versions       |
   |----------------------------------+----------------+--------------------|
   |    Asterisk Business Edition     |     C.3.x      | All versions       |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |             Product              |               Release               |
   |----------------------------------+-------------------------------------|
   |       Asterisk Open Source       |    1.4.41.2, 1.6.2.18.2, 1.8.4.4    |
   |----------------------------------+-------------------------------------|
   |    Asterisk Business Edition     |               C.3.7.3               |
   |----------------------------------+-------------------------------------|
   +------------------------------------------------------------------------+

   +---------------------------------------------------------------------------+
   |                                  Patches                                  |
   |---------------------------------------------------------------------------|
   |                           Download URL                           |Revision|
   |------------------------------------------------------------------+--------|
   |http://downloads.asterisk.org/pub/security/AST-2011-011-1.4.diff  |1.4     |
   |------------------------------------------------------------------+--------|
   |http://downloads.asterisk.org/pub/security/AST-2011-011-1.6.2.diff|1.6.2   |
   |------------------------------------------------------------------+--------|
   |http://downloads.asterisk.org/pub/security/AST-2011-011-1.8.diff  |1.8     |
   +---------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |         Links          |                                               |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2011-011.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2011-011.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |        Date        |       Editor        |       Revisions Made        |
   |--------------------+---------------------+-----------------------------|
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2011-011
              Copyright (c) 2011 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.




More information about the asterisk-users mailing list