[asterisk-users] Securing Asterisk
Matthew J. Roth
mroth at imminc.com
Wed Jul 27 13:20:14 CDT 2011
Kevin P. Fleming wrote:
>
> 'alwaysauthreject' in not imcompliant with any RFCs; the RFCs define
> response codes that *can* be used to indicate (for example) that the
> Request URI does not represent a target known to the receiver (404 Not
> Found), but does not mandate that the server respond with that code in
> that situation.
Kevin,
Thanks for the correction and I apologize if I'm propagating a
misconception. Am I misunderstanding this Asterisk Security Advisory?
http://lists.digium.com/pipermail/asterisk-announce/2009-April/000177.html
In 2006, the Asterisk maintainers made it more difficult
to scan for valid SIP usernames by implementing an
option called "alwaysauthreject"...
...What we have done is to carefully emulate exactly the
same responses throughout possible dialogs, which should
prevent attackers from gleaning this information. All
invalid users, if this option is turned on, will receive
the same response throughout the dialog, as if a
username was valid, but the password was incorrect.
It is important to note several things. First, this
vulnerability is derived directly from the SIP
specification, and it is a technical violation of RFC
3261 (and subsequent RFCs, as of this date), for us to
return these responses...
I am asking out of genuine curiosity, because I trust your assessment
more than my interpretation of the advisory.
Thank you,
Matthew Roth
InterMedia Marketing Solutions
Software Engineer and Systems Developer
More information about the asterisk-users
mailing list