Bug#632029: asterisk: AST-2011-011 (CVE-2011-2536) Possible enumeration of SIP users

Tzafrir Cohen tzafrir at debian.org
Wed Jun 29 08:46:18 UTC 2011


Package: asterisk
Version: 1:1.8.4.2-1.8979
Severity: grave
Tags: security upstream patch
Justification: user security hole

Asterisk may respond differently to SIP requests from an invalid SIP
user than it does to a user configured on the system, even when the
alwaysauthreject option is set in the configuration. This can leak 
information about what SIP users are valid on the Asterisk system.

Respond to SIP requests from invalid and valid SIP users in the same way.
Asterisk 1.4 (in Oldstable) and 1.6.2 (in Stable) do not respond
identically by default due to backward-compatibility reasons, and must
have alwaysauthreject=yes set in sip.conf. Asterisk 1.8 defaults to
alwaysauthreject=yes.





More information about the Pkg-voip-maintainers mailing list