lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1QbewG-0007Yf-09@mail.digium.com>
Date: Tue, 28 Jun 2011 15:31:16 -0500
From: "Asterisk Security Team" <security@...erisk.org>
To: full-disclosure@...ts.grok.org.uk
Subject: AST-2011-011: Possible enumeration of SIP users
	due to differing authentication responses

               Asterisk Project Security Advisory - AST-2011-011

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | Possible enumeration of SIP users due to          |
   |                    | differing authentication responses                |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Unauthorized data disclosure                      |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote unauthenticated sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Moderate                                          |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | June 11, 2011                                     |
   |--------------------+---------------------------------------------------|
   |    Reported By     |                                                   |
   |--------------------+---------------------------------------------------|
   |     Posted On      | June 28, 2011                                     |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | June 28, 2011                                     |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Terry Wilson <twilson@...ium.com>                 |
   |--------------------+---------------------------------------------------|
   |      CVE Name      | CVE-2011-2536                                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | Asterisk may respond differently to SIP requests from an |
   |             | invalid SIP user than it does to a user configured on    |
   |             | the system, even when the alwaysauthreject option is set |
   |             | in the configuration. This can leak information about    |
   |             | what SIP users are valid on the Asterisk system.         |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | Respond to SIP requests from invalid and valid SIP users  |
   |            | in the same way. Asterisk 1.4 and 1.6.2 do not respond    |
   |            | identically by default due to backward-compatibility      |
   |            | reasons, and must have alwaysauthreject=yes set in        |
   |            | sip.conf. Asterisk 1.8 defaults to alwaysauthreject=yes.  |
   |            |                                                           |
   |            | IT IS ABSOLUTELY IMPERATIVE that users of Asterisk 1.4    |
   |            | and 1.6.2 set alwaysauthreject=yes in the general section |
   |            | of sip.conf.                                              |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |             Product              | Release Series |                    |
   |----------------------------------+----------------+--------------------|
   |       Asterisk Open Source       |     1.4.x      | All versions       |
   |----------------------------------+----------------+--------------------|
   |       Asterisk Open Source       |    1.6.2.x     | All versions       |
   |----------------------------------+----------------+--------------------|
   |       Asterisk Open Source       |     1.8.x      | All versions       |
   |----------------------------------+----------------+--------------------|
   |    Asterisk Business Edition     |     C.3.x      | All versions       |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |             Product              |               Release               |
   |----------------------------------+-------------------------------------|
   |       Asterisk Open Source       |    1.4.41.2, 1.6.2.18.2, 1.8.4.4    |
   |----------------------------------+-------------------------------------|
   |    Asterisk Business Edition     |               C.3.7.3               |
   |----------------------------------+-------------------------------------|
   +------------------------------------------------------------------------+

   +---------------------------------------------------------------------------+
   |                                  Patches                                  |
   |---------------------------------------------------------------------------|
   |                           Download URL                           |Revision|
   |------------------------------------------------------------------+--------|
   |http://downloads.asterisk.org/pub/security/AST-2011-011-1.4.diff  |1.4     |
   |------------------------------------------------------------------+--------|
   |http://downloads.asterisk.org/pub/security/AST-2011-011-1.6.2.diff|1.6.2   |
   |------------------------------------------------------------------+--------|
   |http://downloads.asterisk.org/pub/security/AST-2011-011-1.8.diff  |1.8     |
   +---------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |         Links          |                                               |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2011-011.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2011-011.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |        Date        |       Editor        |       Revisions Made        |
   |--------------------+---------------------+-----------------------------|
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2011-011
              Copyright (c) 2011 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ