lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat, 10 Jan 2009 17:40:39 +0000
From: nnp <version5@...il.com>
To: "Asterisk Security Team" <security@...erisk.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: AST-2009-001: Information leak in IAX2
	authentication

*stiffles a giggle*

What an interesting advisory/patch this is. I would humbly suggest
having another go as gold stars will be awarded next time for
correctness!

On Thu, Jan 8, 2009 at 7:28 PM, Asterisk Security Team
<security@...erisk.org> wrote:
>               Asterisk Project Security Advisory - AST-2009-001
>
>   +------------------------------------------------------------------------+
>   |       Product        | Asterisk                                        |
>   |----------------------+-------------------------------------------------|
>   |       Summary        | Information leak in IAX2 authentication         |
>   |----------------------+-------------------------------------------------|
>   |  Nature of Advisory  | Unauthorized data disclosure                    |
>   |----------------------+-------------------------------------------------|
>   |    Susceptibility    | Remote Unauthenticated Sessions                 |
>   |----------------------+-------------------------------------------------|
>   |       Severity       | Minor                                           |
>   |----------------------+-------------------------------------------------|
>   |    Exploits Known    | Yes                                             |
>   |----------------------+-------------------------------------------------|
>   |     Reported On      | October 15, 2008                                |
>   |----------------------+-------------------------------------------------|
>   |     Reported By      | http://www.unprotectedhex.com                   |
>   |----------------------+-------------------------------------------------|
>   |      Posted On       | January 7, 2009                                 |
>   |----------------------+-------------------------------------------------|
>   |   Last Updated On    | January 7, 2009                                 |
>   |----------------------+-------------------------------------------------|
>   |   Advisory Contact   | Tilghman Lesher < tlesher AT digium DOT com >   |
>   |----------------------+-------------------------------------------------|
>   |       CVE Name       | CVE-2009-0041                                   |
>   +------------------------------------------------------------------------+
>
>   +------------------------------------------------------------------------+
>   | Description | IAX2 provides a different response during authentication |
>   |             | when a user does not exist, as compared to when the      |
>   |             | password is merely wrong. This allows an attacker to     |
>   |             | scan a host to find specific users on which to           |
>   |             | concentrate password cracking attempts.                  |
>   |             |                                                          |
>   |             | The workaround involves sending back responses that are  |
>   |             | valid for that particular site. For example, if it were  |
>   |             | known that a site only uses RSA authentication, then     |
>   |             | sending back an MD5 authentication request would         |
>   |             | similarly identify the user as not existing. The         |
>   |             | opposite is also true. So the solution is always to send |
>   |             | back an authentication response that corresponds to a    |
>   |             | known frequency with which real authentication responses |
>   |             | are returned, when the user does not exist. This makes   |
>   |             | it very difficult for an attacker to guess whether a     |
>   |             | user exists or not, based upon this particular           |
>   |             | mechanism.                                               |
>   +------------------------------------------------------------------------+
>
>   +------------------------------------------------------------------------+
>   | Resolution | Upgrade to revision 167259 of the 1.2 branch or 167260 of |
>   |            | the 1.4 branch or one of the releases noted below.        |
>   +------------------------------------------------------------------------+
>
>   +------------------------------------------------------------------------+
>   |                           Affected Versions                            |
>   |------------------------------------------------------------------------|
>   |          Product           | Release |                                 |
>   |                            | Series  |                                 |
>   |----------------------------+---------+---------------------------------|
>   |    Asterisk Open Source    |  1.2.x  | All version prior to 1.2.31     |
>   |----------------------------+---------+---------------------------------|
>   |    Asterisk Open Source    |  1.4.x  | All versions prior to           |
>   |                            |         | 1.4.23-rc4                      |
>   |----------------------------+---------+---------------------------------|
>   |    Asterisk Open Source    |  1.6.x  | All versions prior to           |
>   |                            |         | 1.6.0.3-rc2                     |
>   |----------------------------+---------+---------------------------------|
>   |      Asterisk Addons       |  1.2.x  | Not affected                    |
>   |----------------------------+---------+---------------------------------|
>   |      Asterisk Addons       |  1.4.x  | Not affected                    |
>   |----------------------------+---------+---------------------------------|
>   |      Asterisk Addons       |  1.6.x  | Not affected                    |
>   |----------------------------+---------+---------------------------------|
>   | Asterisk Business Edition  |  A.x.x  | All versions                    |
>   |----------------------------+---------+---------------------------------|
>   | Asterisk Business Edition  |  B.x.x  | All versions prior to B.2.5.7   |
>   |----------------------------+---------+---------------------------------|
>   | Asterisk Business Edition  | C.1.x.x | All versions prior to C.1.10.4  |
>   |----------------------------+---------+---------------------------------|
>   | Asterisk Business Edition  | C.2.x.x | All versions prior to C.2.1.2.1 |
>   |----------------------------+---------+---------------------------------|
>   |        AsteriskNOW         |   1.5   | Not affected                    |
>   |----------------------------+---------+---------------------------------|
>   | s800i (Asterisk Appliance) |  1.2.x  | All versions prior to 1.3.0     |
>   +------------------------------------------------------------------------+
>
>   +------------------------------------------------------------------------+
>   |                              Corrected In                              |
>   |------------------------------------------------------------------------|
>   |                  Product                   |          Release          |
>   |--------------------------------------------+---------------------------|
>   |            Asterisk Open Source            |          1.2.31           |
>   |--------------------------------------------+---------------------------|
>   |            Asterisk Open Source            |         1.4.22.1          |
>   |--------------------------------------------+---------------------------|
>   |            Asterisk Open Source            |          1.6.0.3          |
>   |--------------------------------------------+---------------------------|
>   |         Asterisk Business Edition          |          B.2.5.7          |
>   |--------------------------------------------+---------------------------|
>   |         Asterisk Business Edition          |         C.1.10.4          |
>   |--------------------------------------------+---------------------------|
>   |         Asterisk Business Edition          |         C.2.1.2.1         |
>   |--------------------------------------------+---------------------------|
>   |         s800i (Asterisk Appliance)         |           1.3.0           |
>   +------------------------------------------------------------------------+
>
>   +------------------------------------------------------------------------+
>   |                                Patches                                 |
>   |------------------------------------------------------------------------|
>   |                               URL                               |Branch|
>   |-----------------------------------------------------------------+------|
>   |http://downloads.digium.com/pub/security/AST-2009-001-1.2.diff   |1.2   |
>   |-----------------------------------------------------------------+------|
>   |http://downloads.digium.com/pub/security/AST-2009-001-1.4.diff   |1.4   |
>   |-----------------------------------------------------------------+------|
>   |http://downloads.digium.com/pub/security/AST-2009-001-1.6.0.diff |1.6.0 |
>   +------------------------------------------------------------------------+
>
>   +------------------------------------------------------------------------+
>   |        Links        | http://code.google.com/p/iaxscan/                |
>   +------------------------------------------------------------------------+
>
>   +------------------------------------------------------------------------+
>   | Asterisk Project Security Advisories are posted at                     |
>   | http://www.asterisk.org/security                                       |
>   |                                                                        |
>   | This document may be superseded by later versions; if so, the latest   |
>   | version will be posted at                                              |
>   | http://downloads.digium.com/pub/security/AST-2009-001.pdf and          |
>   | http://downloads.digium.com/pub/security/AST-2009-001.html             |
>   +------------------------------------------------------------------------+
>
>   +------------------------------------------------------------------------+
>   |                            Revision History                            |
>   |------------------------------------------------------------------------|
>   |      Date       |         Editor         |       Revisions Made        |
>   |-----------------+------------------------+-----------------------------|
>   | 2009-01-07      | Tilghman Lesher        | Initial release             |
>   +------------------------------------------------------------------------+
>
>               Asterisk Project Security Advisory - AST-2009-001
>              Copyright (c) 2009 Digium, Inc. All Rights Reserved.
>  Permission is hereby granted to distribute and publish this advisory in its
>                           original, unaltered form.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
http://www.unprotectedhex.com
http://www.smashthestack.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ