Asterisk Project Security Advisory - AST-2009-003
ยฑ-----------------------------------------------------------------------+
| Product | Asterisk |
|--------------------ยฑ--------------------------------------------------|
| Summary | SIP responses expose valid usernames |
|--------------------ยฑ--------------------------------------------------|
| Nature of Advisory | Information leak |
|--------------------ยฑ--------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------ยฑ--------------------------------------------------|
| Severity | Minor |
|--------------------ยฑ--------------------------------------------------|
| Exploits Known | No |
|--------------------ยฑ--------------------------------------------------|
| Reported On | February 23, 2009 |
|--------------------ยฑ--------------------------------------------------|
| Reported By | Gentoo Linux Project: Kerin Millar ( kerframil on |
| | irc.freenode.net ) and Fergal Glynn < FGlynn AT |
| | veracode DOT com > |
|--------------------ยฑ--------------------------------------------------|
| Posted On | April 2, 2009 |
|--------------------ยฑ--------------------------------------------------|
| Last Updated On | April 2, 2009 |
|--------------------ยฑ--------------------------------------------------|
| Advisory Contact | Tilghman Lesher < tlesher AT digium DOT com > |
|--------------------ยฑ--------------------------------------------------|
| CVE Name | CVE-2008-3903 |
ยฑ-----------------------------------------------------------------------+
ยฑ-----------------------------------------------------------------------+
| Description | In 2006, the Asterisk maintainers made it more difficult |
| | to scan for valid SIP usernames by implementing an |
| | option called "alwaysauthreject", which should return a |
| | 401 error on all replies which are generated for users |
| | which do not exist. While this was sufficient at the |
| | time, due to ever increasing compliance with RFC 3261, |
| | the SIP specification, that is no longer sufficient as a |
| | means towards preventing attackers from checking |
| | responses to verify whether a SIP account exists on a |
| | machine. |
| | |
| | What we have done is to carefully emulate exactly the |
| | same responses throughout possible dialogs, which should |
| | prevent attackers from gleaning this information. All |
| | invalid users, if this option is turned on, will receive |
| | the same response throughout the dialog, as if a |
| | username was valid, but the password was incorrect. |
| | |
| | It is important to note several things. First, this |
| | vulnerability is derived directly from the SIP |
| | specification, and it is a technical violation of RFC |
| | 3261 (and subsequent RFCs, as of this date), for us to |
| | return these responses. Second, this attack is made much |
| | more difficult if administrators avoided creating |
| | all-numeric usernames and especially all-numeric |
| | passwords. This combination is extremely vulnerable for |
| | servers connected to the public Internet, even with this |
| | patch in place. While it may make configuring SIP |
| | telephones easier in the short term, it has the |
| | potential to cause grief over the long term. |
ยฑ-----------------------------------------------------------------------+
ยฑ-----------------------------------------------------------------------+
| Resolution | Upgrade to one of the versions below, or apply one of the |
| | patches specified in the Patches section. |
ยฑ-----------------------------------------------------------------------+
ยฑ-----------------------------------------------------------------------+
Affected Versions |
---|
Product |
----------------------------ยฑ-----------ยฑ----------------------------- |
Asterisk Open Source |
----------------------------ยฑ-----------ยฑ----------------------------- |
Asterisk Open Source |
----------------------------ยฑ-----------ยฑ----------------------------- |
Asterisk Open Source |
----------------------------ยฑ-----------ยฑ----------------------------- |
Asterisk Addons |
----------------------------ยฑ-----------ยฑ----------------------------- |
Asterisk Addons |
----------------------------ยฑ-----------ยฑ----------------------------- |
Asterisk Addons |
----------------------------ยฑ-----------ยฑ----------------------------- |
Asterisk Business Edition |
----------------------------ยฑ-----------ยฑ----------------------------- |
Asterisk Business Edition |
----------------------------ยฑ-----------ยฑ----------------------------- |
Asterisk Business Edition |
----------------------------ยฑ-----------ยฑ----------------------------- |
Asterisk Business Edition |
----------------------------ยฑ-----------ยฑ----------------------------- |
AsteriskNOW |
----------------------------ยฑ-----------ยฑ----------------------------- |
s800i (Asterisk Appliance) |
ยฑ-----------------------------------------------------------------------+ |
ยฑ-----------------------------------------------------------------------+
Corrected In |
---|
Product |
---------------------------------------------ยฑ------------------------- |
Asterisk Open Source |
---------------------------------------------ยฑ------------------------- |
Asterisk Open Source |
---------------------------------------------ยฑ------------------------- |
Asterisk Open Source |
---------------------------------------------ยฑ------------------------- |
Asterisk Business Edition |
---------------------------------------------ยฑ------------------------- |
Asterisk Business Edition |
---------------------------------------------ยฑ------------------------- |
Asterisk Business Edition |
---------------------------------------------ยฑ------------------------- |
s800i (Asterisk Appliance) |
ยฑ-----------------------------------------------------------------------+ |
ยฑ-----------------------------------------------------------------------+
Patches |
---|
Patch URL |
----------------------------------------------------------------ยฑ------ |
http://downloads.digium.com/pub/asa/AST-2009-003-1.2.diff.txt |
----------------------------------------------------------------ยฑ------ |
http://downloads.digium.com/pub/asa/AST-2009-003-1.4.diff.txt |
----------------------------------------------------------------ยฑ------ |
http://downloads.digium.com/pub/asa/AST-2009-003-1.6.0.diff.txt |
----------------------------------------------------------------ยฑ------ |
http://downloads.digium.com/pub/asa/AST-2009-003-1.6.1.diff.txt |
ยฑ-----------------------------------------------------------------------+ |
ยฑ-----------------------------------------------------------------------+
| Links | http://www.faqs.org/rfcs/rfc3261.html |
ยฑ-----------------------------------------------------------------------+
ยฑ-----------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2009-003.pdf and |
| http://downloads.digium.com/pub/security/AST-2009-003.html |
ยฑ-----------------------------------------------------------------------+
ยฑ-----------------------------------------------------------------------+
Revision History |
---|
Date |
-----------------ยฑ-----------------------ยฑ---------------------------- |
2009-04-02 |
ยฑ-----------------------------------------------------------------------+ |
Asterisk Project Security Advisory - AST-2009-003
Copyright (c) 2009 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.