Possible enumeration of SIP users due to differing authentication responses

Home » Asterisk Users » Possible enumeration of SIP users due to differing authentication responses
Asterisk Users No Comments

Asterisk Project Security Advisory – AST-2011-011

+————————————————————————+
| Product | Asterisk |
|——————–+—————————————————|
| Summary | Possible enumeration of SIP users due to |
| | differing authentication responses |
|——————–+—————————————————|
| Nature of Advisory | Unauthorized data disclosure |
|——————–+—————————————————|
| Susceptibility | Remote unauthenticated sessions |
|——————–+—————————————————|
| Severity | Moderate |
|——————–+—————————————————|
| Exploits Known | No |
|——————–+—————————————————|
| Reported On | June 11, 2011 |
|——————–+—————————————————|
| Reported By | |
|——————–+—————————————————|
| Posted On | June 28, 2011 |
|——————–+—————————————————|
| Last Updated On | June 28, 2011 |
|——————–+—————————————————|
| Advisory Contact | Terry Wilson |
|——————–+—————————————————|
| CVE Name | CVE-2011-2536 |
+————————————————————————+

+————————————————————————+
| Description | Asterisk may respond differently to SIP requests from an |
| | invalid SIP user than it does to a user configured on |
| | the system, even when the alwaysauthreject option is set |
| | in the configuration. This can leak information about |
| | what SIP users are valid on the Asterisk system. |
+————————————————————————+

+————————————————————————+
| Resolution | Respond to SIP requests from invalid and valid SIP users |
| | in the same way. Asterisk 1.4 and 1.6.2 do not respond |
| | identically by default due to backward-compatibility |
| | reasons, and must have alwaysauthreject=yes set in |
| | sip.conf. Asterisk 1.8 defaults to alwaysauthreject=yes. |
| | |
| | IT IS ABSOLUTELY IMPERATIVE that users of Asterisk 1.4 |
| | and 1.6.2 set alwaysauthreject=yes in the general section |
| | of sip.conf. |
+————————————————————————+

+————————————————————————+
| Affected Versions |
|————————————————————————|
| Product | Release Series | |
|———————————-+—————-+——————–|
| Asterisk Open Source | 1.4.x | All versions |
|———————————-+—————-+——————–|
| Asterisk Open Source | 1.6.2.x | All versions |
|———————————-+—————-+——————–|
| Asterisk Open Source | 1.8.x | All versions |
|———————————-+—————-+——————–|
| Asterisk Business Edition | C.3.x | All versions |
+————————————————————————+

+————————————————————————+
| Corrected In |
|————————————————————————|
| Product | Release |
|———————————-+————————————-|
| Asterisk Open Source | 1.4.41.2, 1.6.2.18.2, 1.8.4.4 |
|———————————-+————————————-|
| Asterisk Business Edition | C.3.7.3 |
|———————————-+————————————-|
+————————————————————————+

+—————————————————————————+
| Patches |
|—————————————————————————|
| Download URL |Revision|
|——————————————————————+——–|
|http://downloads.asterisk.org/pub/security/AST-2011-011-1.4.diff |1.4 |
|——————————————————————+——–|
|http://downloads.asterisk.org/pub/security/AST-2011-011-1.6.2.diff|1.6.2 |
|——————————————————————+——–|
|http://downloads.asterisk.org/pub/security/AST-2011-011-1.8.diff |1.8 |
+—————————————————————————+

+————————————————————————+
| Links | |
+————————————————————————+

+————————————————————————+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2011-011.pdf and |
| http://downloads.digium.com/pub/security/AST-2011-011.html |
+————————————————————————+

+————————————————————————+
| Revision History |
|————————————————————————|
| Date | Editor | Revisions Made |
|——————–+———————+—————————–|
+————————————————————————+

Asterisk Project Security Advisory – AST-2011-011
Copyright (c) 2011 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.