Bug#522528: AST-2009-003: SIP responses expose valid usernames

Tzafrir Cohen tzafrir.cohen at xorcom.com
Sat Apr 4 15:24:59 UTC 2009 

Package: asterisk
version: 1:1.4.21.2~dfsg-3
Severity: grave
Tags: patch

The Asterisk Project has issued the following advisory:
http://downloads.digium.com/pub/asa/AST-2009-003.html

It affects the versions in oldstable (1.2.13), stable/testing/unstable 
(1.4.21) and experimental (1.6.1-rc3. rc4, fixing this should be
released shortly). 

CVE entry: CVE-2008-3903

I'd like to include here the text of the advisory, as I believe it is
worth restating:

  In 2006, the Asterisk maintainers made it more difficult to scan for
  valid SIP usernames by implementing an option called
  "alwaysauthreject", which should return a 401 error on all replies
  which are generated for users which do not exist. While this was
  sufficient at the time, due to ever increasing compliance with RFC
  3261, the SIP specification, that is no longer sufficient as a means
  towards preventing attackers from checking responses to verify whether
  a SIP account exists on a machine.

  What we have done is to carefully emulate exactly the same responses
  throughout possible dialogs, which should prevent attackers from
  gleaning this information. All invalid users, if this option is turned
  on, will receive the same response throughout the dialog, as if a
  username was valid, but the password was incorrect.

  It is important to note several things. First, this vulnerability is
  derived directly from the SIP specification, and it is a technical
  violation of RFC 3261 (and subsequent RFCs, as of this date), for us
  to return these responses. Second, this attack is made much more
  difficult if administrators avoided creating all-numeric usernames and
  especially all-numeric passwords. This combination is extremely
  vulnerable for servers connected to the public Internet, even with
  this patch in place. While it may make configuring SIP telephones
  easier in the short term, it has the potential to cause grief over the
  long term.

Patches are linked from the advisory and are now being tested.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir

More information about the Pkg-voip-maintainers mailing list