Asterisk Security Team
2009-Jan-08 19:28 UTC
[asterisk-users] AST-2009-001: Information leak in IAX2 authentication
Asterisk Project Security Advisory - AST-2009-001 +------------------------------------------------------------------------+ | Product | Asterisk | |----------------------+-------------------------------------------------| | Summary | Information leak in IAX2 authentication | |----------------------+-------------------------------------------------| | Nature of Advisory | Unauthorized data disclosure | |----------------------+-------------------------------------------------| | Susceptibility | Remote Unauthenticated Sessions | |----------------------+-------------------------------------------------| | Severity | Minor | |----------------------+-------------------------------------------------| | Exploits Known | Yes | |----------------------+-------------------------------------------------| | Reported On | October 15, 2008 | |----------------------+-------------------------------------------------| | Reported By | http://www.unprotectedhex.com | |----------------------+-------------------------------------------------| | Posted On | January 7, 2009 | |----------------------+-------------------------------------------------| | Last Updated On | January 7, 2009 | |----------------------+-------------------------------------------------| | Advisory Contact | Tilghman Lesher < tlesher AT digium DOT com > | |----------------------+-------------------------------------------------| | CVE Name | CVE-2009-0041 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | IAX2 provides a different response during authentication | | | when a user does not exist, as compared to when the | | | password is merely wrong. This allows an attacker to | | | scan a host to find specific users on which to | | | concentrate password cracking attempts. | | | | | | The workaround involves sending back responses that are | | | valid for that particular site. For example, if it were | | | known that a site only uses RSA authentication, then | | | sending back an MD5 authentication request would | | | similarly identify the user as not existing. The | | | opposite is also true. So the solution is always to send | | | back an authentication response that corresponds to a | | | known frequency with which real authentication responses | | | are returned, when the user does not exist. This makes | | | it very difficult for an attacker to guess whether a | | | user exists or not, based upon this particular | | | mechanism. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | Upgrade to revision 167259 of the 1.2 branch or 167260 of | | | the 1.4 branch or one of the releases noted below. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release | | | | Series | | |----------------------------+---------+---------------------------------| | Asterisk Open Source | 1.2.x | All version prior to 1.2.31 | |----------------------------+---------+---------------------------------| | Asterisk Open Source | 1.4.x | All versions prior to | | | | 1.4.23-rc4 | |----------------------------+---------+---------------------------------| | Asterisk Open Source | 1.6.x | All versions prior to | | | | 1.6.0.3-rc2 | |----------------------------+---------+---------------------------------| | Asterisk Addons | 1.2.x | Not affected | |----------------------------+---------+---------------------------------| | Asterisk Addons | 1.4.x | Not affected | |----------------------------+---------+---------------------------------| | Asterisk Addons | 1.6.x | Not affected | |----------------------------+---------+---------------------------------| | Asterisk Business Edition | A.x.x | All versions | |----------------------------+---------+---------------------------------| | Asterisk Business Edition | B.x.x | All versions prior to B.2.5.7 | |----------------------------+---------+---------------------------------| | Asterisk Business Edition | C.1.x.x | All versions prior to C.1.10.4 | |----------------------------+---------+---------------------------------| | Asterisk Business Edition | C.2.x.x | All versions prior to C.2.1.2.1 | |----------------------------+---------+---------------------------------| | AsteriskNOW | 1.5 | Not affected | |----------------------------+---------+---------------------------------| | s800i (Asterisk Appliance) | 1.2.x | All versions prior to 1.3.0 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |--------------------------------------------+---------------------------| | Asterisk Open Source | 1.2.31 | |--------------------------------------------+---------------------------| | Asterisk Open Source | 1.4.22.1 | |--------------------------------------------+---------------------------| | Asterisk Open Source | 1.6.0.3 | |--------------------------------------------+---------------------------| | Asterisk Business Edition | B.2.5.7 | |--------------------------------------------+---------------------------| | Asterisk Business Edition | C.1.10.4 | |--------------------------------------------+---------------------------| | Asterisk Business Edition | C.2.1.2.1 | |--------------------------------------------+---------------------------| | s800i (Asterisk Appliance) | 1.3.0 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Patches | |------------------------------------------------------------------------| | URL |Branch| |-----------------------------------------------------------------+------| |http://downloads.digium.com/pub/security/AST-2009-001-1.2.diff |1.2 | |-----------------------------------------------------------------+------| |http://downloads.digium.com/pub/security/AST-2009-001-1.4.diff |1.4 | |-----------------------------------------------------------------+------| |http://downloads.digium.com/pub/security/AST-2009-001-1.6.0.diff |1.6.0 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | http://code.google.com/p/iaxscan/ | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2009-001.pdf and | | http://downloads.digium.com/pub/security/AST-2009-001.html | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |-----------------+------------------------+-----------------------------| | 2009-01-07 | Tilghman Lesher | Initial release | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - AST-2009-001 Copyright (c) 2009 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.