| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <28749c0e0901100940u28f695c1vfee156f0bd07677a@mail.gmail.com> Date: Sat, 10 Jan 2009 17:40:39 +0000 From: nnp <version5@...il.com> To: "Asterisk Security Team" <security@...erisk.org> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: AST-2009-001: Information leak in IAX2 authentication *stiffles a giggle* What an interesting advisory/patch this is. I would humbly suggest having another go as gold stars will be awarded next time for correctness! On Thu, Jan 8, 2009 at 7:28 PM, Asterisk Security Team <security@...erisk.org> wrote: > Asterisk Project Security Advisory - AST-2009-001 > > +------------------------------------------------------------------------+ > | Product | Asterisk | > |----------------------+-------------------------------------------------| > | Summary | Information leak in IAX2 authentication | > |----------------------+-------------------------------------------------| > | Nature of Advisory | Unauthorized data disclosure | > |----------------------+-------------------------------------------------| > | Susceptibility | Remote Unauthenticated Sessions | > |----------------------+-------------------------------------------------| > | Severity | Minor | > |----------------------+-------------------------------------------------| > | Exploits Known | Yes | > |----------------------+-------------------------------------------------| > | Reported On | October 15, 2008 | > |----------------------+-------------------------------------------------| > | Reported By | http://www.unprotectedhex.com | > |----------------------+-------------------------------------------------| > | Posted On | January 7, 2009 | > |----------------------+-------------------------------------------------| > | Last Updated On | January 7, 2009 | > |----------------------+-------------------------------------------------| > | Advisory Contact | Tilghman Lesher < tlesher AT digium DOT com > | > |----------------------+-------------------------------------------------| > | CVE Name | CVE-2009-0041 | > +------------------------------------------------------------------------+ > > +------------------------------------------------------------------------+ > | Description | IAX2 provides a different response during authentication | > | | when a user does not exist, as compared to when the | > | | password is merely wrong. This allows an attacker to | > | | scan a host to find specific users on which to | > | | concentrate password cracking attempts. | > | | | > | | The workaround involves sending back responses that are | > | | valid for that particular site. For example, if it were | > | | known that a site only uses RSA authentication, then | > | | sending back an MD5 authentication request would | > | | similarly identify the user as not existing. The | > | | opposite is also true. So the solution is always to send | > | | back an authentication response that corresponds to a | > | | known frequency with which real authentication responses | > | | are returned, when the user does not exist. This makes | > | | it very difficult for an attacker to guess whether a | > | | user exists or not, based upon this particular | > | | mechanism. | > +------------------------------------------------------------------------+ > > +------------------------------------------------------------------------+ > | Resolution | Upgrade to revision 167259 of the 1.2 branch or 167260 of | > | | the 1.4 branch or one of the releases noted below. | > +------------------------------------------------------------------------+ > > +------------------------------------------------------------------------+ > | Affected Versions | > |------------------------------------------------------------------------| > | Product | Release | | > | | Series | | > |----------------------------+---------+---------------------------------| > | Asterisk Open Source | 1.2.x | All version prior to 1.2.31 | > |----------------------------+---------+---------------------------------| > | Asterisk Open Source | 1.4.x | All versions prior to | > | | | 1.4.23-rc4 | > |----------------------------+---------+---------------------------------| > | Asterisk Open Source | 1.6.x | All versions prior to | > | | | 1.6.0.3-rc2 | > |----------------------------+---------+---------------------------------| > | Asterisk Addons | 1.2.x | Not affected | > |----------------------------+---------+---------------------------------| > | Asterisk Addons | 1.4.x | Not affected | > |----------------------------+---------+---------------------------------| > | Asterisk Addons | 1.6.x | Not affected | > |----------------------------+---------+---------------------------------| > | Asterisk Business Edition | A.x.x | All versions | > |----------------------------+---------+---------------------------------| > | Asterisk Business Edition | B.x.x | All versions prior to B.2.5.7 | > |----------------------------+---------+---------------------------------| > | Asterisk Business Edition | C.1.x.x | All versions prior to C.1.10.4 | > |----------------------------+---------+---------------------------------| > | Asterisk Business Edition | C.2.x.x | All versions prior to C.2.1.2.1 | > |----------------------------+---------+---------------------------------| > | AsteriskNOW | 1.5 | Not affected | > |----------------------------+---------+---------------------------------| > | s800i (Asterisk Appliance) | 1.2.x | All versions prior to 1.3.0 | > +------------------------------------------------------------------------+ > > +------------------------------------------------------------------------+ > | Corrected In | > |------------------------------------------------------------------------| > | Product | Release | > |--------------------------------------------+---------------------------| > | Asterisk Open Source | 1.2.31 | > |--------------------------------------------+---------------------------| > | Asterisk Open Source | 1.4.22.1 | > |--------------------------------------------+---------------------------| > | Asterisk Open Source | 1.6.0.3 | > |--------------------------------------------+---------------------------| > | Asterisk Business Edition | B.2.5.7 | > |--------------------------------------------+---------------------------| > | Asterisk Business Edition | C.1.10.4 | > |--------------------------------------------+---------------------------| > | Asterisk Business Edition | C.2.1.2.1 | > |--------------------------------------------+---------------------------| > | s800i (Asterisk Appliance) | 1.3.0 | > +------------------------------------------------------------------------+ > > +------------------------------------------------------------------------+ > | Patches | > |------------------------------------------------------------------------| > | URL |Branch| > |-----------------------------------------------------------------+------| > |http://downloads.digium.com/pub/security/AST-2009-001-1.2.diff |1.2 | > |-----------------------------------------------------------------+------| > |http://downloads.digium.com/pub/security/AST-2009-001-1.4.diff |1.4 | > |-----------------------------------------------------------------+------| > |http://downloads.digium.com/pub/security/AST-2009-001-1.6.0.diff |1.6.0 | > +------------------------------------------------------------------------+ > > +------------------------------------------------------------------------+ > | Links | http://code.google.com/p/iaxscan/ | > +------------------------------------------------------------------------+ > > +------------------------------------------------------------------------+ > | Asterisk Project Security Advisories are posted at | > | http://www.asterisk.org/security | > | | > | This document may be superseded by later versions; if so, the latest | > | version will be posted at | > | http://downloads.digium.com/pub/security/AST-2009-001.pdf and | > | http://downloads.digium.com/pub/security/AST-2009-001.html | > +------------------------------------------------------------------------+ > > +------------------------------------------------------------------------+ > | Revision History | > |------------------------------------------------------------------------| > | Date | Editor | Revisions Made | > |-----------------+------------------------+-----------------------------| > | 2009-01-07 | Tilghman Lesher | Initial release | > +------------------------------------------------------------------------+ > > Asterisk Project Security Advisory - AST-2009-001 > Copyright (c) 2009 Digium, Inc. All Rights Reserved. > Permission is hereby granted to distribute and publish this advisory in its > original, unaltered form. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- http://www.unprotectedhex.com http://www.smashthestack.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists