Asterisk Security Team
2013-Mar-27 20:55 UTC
[asterisk-announce] AST-2013-003: Username disclosure in SIP channel driver
Asterisk Project Security Advisory - AST-2013-003
Product Asterisk
Summary Username disclosure in SIP channel driver
Nature of Advisory Unauthorized data disclosure
Susceptibility Remote Unauthenticated Sessions
Severity Moderate
Exploits Known No
Reported On January 30, 2013
Reported By Walter Doekes, OSSO B.V.
Posted On February 21, 2013
Last Updated On March 27, 2013
Advisory Contact Kinsey Moore <kmoore at digium.com>
CVE Name CVE-2013-2264
Description When authenticating via SIP with alwaysauthreject enabled,
allowguest disabled, and autocreatepeer disabled, Asterisk
discloses whether a user exists for INVITE, SUBSCRIBE, and
REGISTER transactions in multiple ways.
This information was disclosed:
* when a "407 Proxy Authentication Required" response
was
sent instead of "401 Unauthorized" response.
* due to the presence or absence of additional tags at the
end of "403 Forbidden" such as "(Bad
auth)".
* when a "401 Unauthorized" response was sent instead
of
"403 Forbidden" response after a retransmission.
* when retransmissions were sent when a matching peer did
not exist, but were not when a matching peer did exist.
Resolution This issue can only be mitigated by upgrading to versions of
Asterisk that contain the patch or applying the patch.
Affected Versions
Product Release Series
Asterisk Open Source 1.8.x All Versions
Asterisk Open Source 10.x All Versions
Asterisk Open Source 11.x All Versions
Certified Asterisk 1.8.15 All Versions
Asterisk Business Edition C.3.x All Versions
Asterisk Digiumphones 10.x-digiumphones All Versions
Corrected In
Product Release
Asterisk Open Source 1.8.20.2, 10.12.2, 11.2.2
Asterisk Digiumphones 10.12.2-digiumphones
Certified Asterisk 1.8.15-cert2
Asterisk Business Edition C.3.8.1
Patches
SVN URL
Revision
http://downloads.asterisk.org/pub/security/AST-2013-003-1.8.diff
Asterisk
1.8
http://downloads.asterisk.org/pub/security/AST-2013-003-10.diff
Asterisk
10
http://downloads.asterisk.org/pub/security/AST-2013-003-11.diff
Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2013-003-1.8.15-cert.diff
Certified
Asterisk
1.8.15
http://downloads.asterisk.org/pub/security/AST-2013-003-C.3.diff
Asterisk
BE C.3
Links https://issues.asterisk.org/jira/browse/ASTERISK-21013
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2013-003.pdf and
http://downloads.digium.com/pub/security/AST-2013-003.html
Revision History
Date Editor Revisions Made
2013-02-20 Kinsey Moore Initial revision.
2013-02-27 Kinsey Moore Added Asterisk BE patch information.
2013-02-27 Kinsey Moore Corrected open source Asterisk versions.
Asterisk Project Security Advisory - AST-2013-003
Copyright (c) 2013 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.