[security at asterisk.org: [asterisk-users] AST-2009-001: Information leak in IAX2 authentication]

Tzafrir Cohen tzafrir.cohen at xorcom.com
Thu Jan 8 20:46:49 UTC 2009


yey, we get to push yet another version of Asterisk.

Though I feel a bit uncomfortable about the fix: we leak (albeit very
little) information about previous authentication to the next
authentication. Can this actually help a slow scan?

I'd rather wait a bit with this one.

----- Forwarded message from Asterisk Security Team <security at asterisk.org> -----

To: asterisk-users at lists.digium.com
From: Asterisk Security Team <security at asterisk.org>
Date: Thu, 08 Jan 2009 13:28:55 -0600
Subject: [asterisk-users] AST-2009-001: Information leak in IAX2
	authentication
Reply-To: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users at lists.digium.com>

               Asterisk Project Security Advisory - AST-2009-001

   +------------------------------------------------------------------------+
   |       Product        | Asterisk                                        |
   |----------------------+-------------------------------------------------|
   |       Summary        | Information leak in IAX2 authentication         |
   |----------------------+-------------------------------------------------|
   |  Nature of Advisory  | Unauthorized data disclosure                    |
   |----------------------+-------------------------------------------------|
   |    Susceptibility    | Remote Unauthenticated Sessions                 |
   |----------------------+-------------------------------------------------|
   |       Severity       | Minor                                           |
   |----------------------+-------------------------------------------------|
   |    Exploits Known    | Yes                                             |
   |----------------------+-------------------------------------------------|
   |     Reported On      | October 15, 2008                                |
   |----------------------+-------------------------------------------------|
   |     Reported By      | http://www.unprotectedhex.com                   |
   |----------------------+-------------------------------------------------|
   |      Posted On       | January 7, 2009                                 |
   |----------------------+-------------------------------------------------|
   |   Last Updated On    | January 7, 2009                                 |
   |----------------------+-------------------------------------------------|
   |   Advisory Contact   | Tilghman Lesher < tlesher AT digium DOT com >   |
   |----------------------+-------------------------------------------------|
   |       CVE Name       | CVE-2009-0041                                   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | IAX2 provides a different response during authentication |
   |             | when a user does not exist, as compared to when the      |
   |             | password is merely wrong. This allows an attacker to     |
   |             | scan a host to find specific users on which to           |
   |             | concentrate password cracking attempts.                  |
   |             |                                                          |
   |             | The workaround involves sending back responses that are  |
   |             | valid for that particular site. For example, if it were  |
   |             | known that a site only uses RSA authentication, then     |
   |             | sending back an MD5 authentication request would         |
   |             | similarly identify the user as not existing. The         |
   |             | opposite is also true. So the solution is always to send |
   |             | back an authentication response that corresponds to a    |
   |             | known frequency with which real authentication responses |
   |             | are returned, when the user does not exist. This makes   |
   |             | it very difficult for an attacker to guess whether a     |
   |             | user exists or not, based upon this particular           |
   |             | mechanism.                                               |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | Upgrade to revision 167259 of the 1.2 branch or 167260 of |
   |            | the 1.4 branch or one of the releases noted below.        |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           | Release |                                 |
   |                            | Series  |                                 |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.2.x  | All version prior to 1.2.31     |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.4.x  | All versions prior to           |
   |                            |         | 1.4.23-rc4                      |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.6.x  | All versions prior to           |
   |                            |         | 1.6.0.3-rc2                     |
   |----------------------------+---------+---------------------------------|
   |      Asterisk Addons       |  1.2.x  | Not affected                    |
   |----------------------------+---------+---------------------------------|
   |      Asterisk Addons       |  1.4.x  | Not affected                    |
   |----------------------------+---------+---------------------------------|
   |      Asterisk Addons       |  1.6.x  | Not affected                    |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  A.x.x  | All versions                    |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  B.x.x  | All versions prior to B.2.5.7   |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  | C.1.x.x | All versions prior to C.1.10.4  |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  | C.2.x.x | All versions prior to C.2.1.2.1 |
   |----------------------------+---------+---------------------------------|
   |        AsteriskNOW         |   1.5   | Not affected                    |
   |----------------------------+---------+---------------------------------|
   | s800i (Asterisk Appliance) |  1.2.x  | All versions prior to 1.3.0     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                  Product                   |          Release          |
   |--------------------------------------------+---------------------------|
   |            Asterisk Open Source            |          1.2.31           |
   |--------------------------------------------+---------------------------|
   |            Asterisk Open Source            |         1.4.22.1          |
   |--------------------------------------------+---------------------------|
   |            Asterisk Open Source            |          1.6.0.3          |
   |--------------------------------------------+---------------------------|
   |         Asterisk Business Edition          |          B.2.5.7          |
   |--------------------------------------------+---------------------------|
   |         Asterisk Business Edition          |         C.1.10.4          |
   |--------------------------------------------+---------------------------|
   |         Asterisk Business Edition          |         C.2.1.2.1         |
   |--------------------------------------------+---------------------------|
   |         s800i (Asterisk Appliance)         |           1.3.0           |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                                Patches                                 |
   |------------------------------------------------------------------------|
   |                               URL                               |Branch|
   |-----------------------------------------------------------------+------|
   |http://downloads.digium.com/pub/security/AST-2009-001-1.2.diff   |1.2   |
   |-----------------------------------------------------------------+------|
   |http://downloads.digium.com/pub/security/AST-2009-001-1.4.diff   |1.4   |
   |-----------------------------------------------------------------+------|
   |http://downloads.digium.com/pub/security/AST-2009-001-1.6.0.diff |1.6.0 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        | http://code.google.com/p/iaxscan/                |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2009-001.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2009-001.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |      Date       |         Editor         |       Revisions Made        |
   |-----------------+------------------------+-----------------------------|
   | 2009-01-07      | Tilghman Lesher        | Initial release             |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2009-001
              Copyright (c) 2009 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.


_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

----- End forwarded message -----

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir



More information about the Pkg-voip-maintainers mailing list