thr3ads.net - Secure testing team - [Secure-testing-team] Bug#632029: asterisk: AST-2011-011 (CVE-2011-2536) Possible enumeration of SIP users [Jun 2011]

If this information is useful, please help other people find it:
Share via:

Twitter
Facebook
Email

Tzafrir Cohen

2011-Jun-29 08:46 UTC

[Secure-testing-team] Bug#632029: asterisk: AST-2011-011 (CVE-2011-2536) Possible enumeration of SIP users

Package: asterisk
Version: 1:1.8.4.2-1.8979
Severity: grave
Tags: security upstream patch
Justification: user security hole

Asterisk may respond differently to SIP requests from an invalid SIP
user than it does to a user configured on the system, even when the
alwaysauthreject option is set in the configuration. This can leak 
information about what SIP users are valid on the Asterisk system.

Respond to SIP requests from invalid and valid SIP users in the same way.
Asterisk 1.4 (in Oldstable) and 1.6.2 (in Stable) do not respond
identically by default due to backward-compatibility reasons, and must
have alwaysauthreject=yes set in sip.conf. Asterisk 1.8 defaults to
alwaysauthreject=yes.

Secure testing team - Jun 2011 - Bug#632029: asterisk: AST-2011-011 (CVE-2011-2536) Possible enumeration of SIP users

[Secure-testing-team] Bug#632029: asterisk: AST-2011-011 (CVE-2011-2536) Possible enumeration of SIP users