<br><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Asterisk Security Team</b> <span dir="ltr"><<a href="mailto:security@asterisk.org">security@asterisk.org</a>></span><br>
Date: 2009/4/2<br>Subject: [asterisk-dev] AST-2009-003: SIP responses expose valid usernames<br>To: <a href="mailto:asterisk-dev@lists.digium.com">asterisk-dev@lists.digium.com</a><br><br><br><div><div></div><div class="h5">
Asterisk Project Security Advisory - AST-2009-003<br>
<br>
+------------------------------------------------------------------------+<br>
| Product | Asterisk |<br>
|--------------------+---------------------------------------------------|<br>
| Summary | SIP responses expose valid usernames |<br>
|--------------------+---------------------------------------------------|<br>
| Nature of Advisory | Information leak |<br>
|--------------------+---------------------------------------------------|<br>
| Susceptibility | Remote Unauthenticated Sessions |<br>
|--------------------+---------------------------------------------------|<br>
| Severity | Minor |<br>
|--------------------+---------------------------------------------------|<br>
| Exploits Known | No |<br>
|--------------------+---------------------------------------------------|<br>
| Reported On | February 23, 2009 |<br>
|--------------------+---------------------------------------------------|<br>
| Reported By | Gentoo Linux Project: Kerin Millar ( kerframil on |<br>
| | <a href="http://irc.freenode.net" target="_blank">irc.freenode.net</a> ) and Fergal Glynn < FGlynn AT |<br>
| | veracode DOT com > |<br>
|--------------------+---------------------------------------------------|<br>
| Posted On | April 2, 2009 |<br>
|--------------------+---------------------------------------------------|<br>
| Last Updated On | April 2, 2009 |<br>
|--------------------+---------------------------------------------------|<br>
| Advisory Contact | Tilghman Lesher < tlesher AT digium DOT com > |<br>
|--------------------+---------------------------------------------------|<br>
| CVE Name | CVE-2008-3903 |<br>
+------------------------------------------------------------------------+<br>
<br>
+------------------------------------------------------------------------+<br>
| Description | In 2006, the Asterisk maintainers made it more difficult |<br>
| | to scan for valid SIP usernames by implementing an |<br>
| | option called "alwaysauthreject", which should return a |<br>
| | 401 error on all replies which are generated for users |<br>
| | which do not exist. While this was sufficient at the |<br>
| | time, due to ever increasing compliance with RFC 3261, |<br>
| | the SIP specification, that is no longer sufficient as a |<br>
| | means towards preventing attackers from checking |<br>
| | responses to verify whether a SIP account exists on a |<br>
| | machine. |<br>
| | |<br>
| | What we have done is to carefully emulate exactly the |<br>
| | same responses throughout possible dialogs, which should |<br>
| | prevent attackers from gleaning this information. All |<br>
| | invalid users, if this option is turned on, will receive |<br>
| | the same response throughout the dialog, as if a |<br>
| | username was valid, but the password was incorrect. |<br>
| | |<br>
| | It is important to note several things. First, this |<br>
| | vulnerability is derived directly from the SIP |<br>
| | specification, and it is a technical violation of RFC |<br>
| | 3261 (and subsequent RFCs, as of this date), for us to |<br>
| | return these responses. Second, this attack is made much |<br>
| | more difficult if administrators avoided creating |<br>
| | all-numeric usernames and especially all-numeric |<br>
| | passwords. This combination is extremely vulnerable for |<br>
| | servers connected to the public Internet, even with this |<br>
| | patch in place. While it may make configuring SIP |<br>
| | telephones easier in the short term, it has the |<br>
| | potential to cause grief over the long term. |<br>
+------------------------------------------------------------------------+<br>
<br>
+------------------------------------------------------------------------+<br>
| Resolution | Upgrade to one of the versions below, or apply one of the |<br>
| | patches specified in the Patches section. |<br>
+------------------------------------------------------------------------+<br>
<br>
+------------------------------------------------------------------------+<br>
| Affected Versions |<br>
|------------------------------------------------------------------------|<br>
| Product | Release | |<br>
| | Series | |<br>
|----------------------------+------------+------------------------------|<br>
| Asterisk Open Source | 1.2.x | All versions prior to 1.2.32 |<br>
|----------------------------+------------+------------------------------|<br>
| Asterisk Open Source | 1.4.x | All versions prior to |<br>
| | | 1.4.24.1 |<br>
|----------------------------+------------+------------------------------|<br>
| Asterisk Open Source | 1.6.0.x | All versions prior to |<br>
| | | 1.6.0.8 |<br>
|----------------------------+------------+------------------------------|<br>
| Asterisk Addons | 1.2.x | Not affected |<br>
|----------------------------+------------+------------------------------|<br>
| Asterisk Addons | 1.4.x | Not affected |<br>
|----------------------------+------------+------------------------------|<br>
| Asterisk Addons | 1.6.x | Not affected |<br>
|----------------------------+------------+------------------------------|<br>
| Asterisk Business Edition | A.x.x | All versions |<br>
|----------------------------+------------+------------------------------|<br>
| Asterisk Business Edition | B.x.x | All versions prior to |<br>
| | | B.2.5.8 |<br>
|----------------------------+------------+------------------------------|<br>
| Asterisk Business Edition | C.1.x.x | All versions prior to |<br>
| | | C.1.10.5 |<br>
|----------------------------+------------+------------------------------|<br>
| Asterisk Business Edition | C.2.x.x | All versions prior to |<br>
| | | C.2.3.3 |<br>
|----------------------------+------------+------------------------------|<br>
| AsteriskNOW | 1.5 | Not affected |<br>
|----------------------------+------------+------------------------------|<br>
| s800i (Asterisk Appliance) | 1.3.x | All versions prior to |<br>
| | | 1.3.0.2 |<br>
+------------------------------------------------------------------------+<br>
<br>
+------------------------------------------------------------------------+<br>
| Corrected In |<br>
|------------------------------------------------------------------------|<br>
| Product | Release |<br>
|---------------------------------------------+--------------------------|<br>
| Asterisk Open Source | 1.2.32 |<br>
|---------------------------------------------+--------------------------|<br>
| Asterisk Open Source | 1.4.24.1 |<br>
|---------------------------------------------+--------------------------|<br>
| Asterisk Open Source | 1.6.0.8 |<br>
|---------------------------------------------+--------------------------|<br>
| Asterisk Business Edition | B.2.5.8 |<br>
|---------------------------------------------+--------------------------|<br>
| Asterisk Business Edition | C.1.10.5 |<br>
|---------------------------------------------+--------------------------|<br>
| Asterisk Business Edition | C.2.3.3 |<br>
|---------------------------------------------+--------------------------|<br>
| s800i (Asterisk Appliance) | 1.3.0.2 |<br>
+------------------------------------------------------------------------+<br>
<br>
+------------------------------------------------------------------------+<br>
| Patches |<br>
|------------------------------------------------------------------------|<br>
| Patch URL |Version|<br>
|----------------------------------------------------------------+-------|<br>
|<a href="http://downloads.digium.com/pub/asa/AST-2009-003-1.2.diff.txt" target="_blank">http://downloads.digium.com/pub/asa/AST-2009-003-1.2.diff.txt</a> | 1.2 |<br>
|----------------------------------------------------------------+-------|<br>
|<a href="http://downloads.digium.com/pub/asa/AST-2009-003-1.4.diff.txt" target="_blank">http://downloads.digium.com/pub/asa/AST-2009-003-1.4.diff.txt</a> | 1.4 |<br>
|----------------------------------------------------------------+-------|<br>
|<a href="http://downloads.digium.com/pub/asa/AST-2009-003-1.6.0.diff.txt" target="_blank">http://downloads.digium.com/pub/asa/AST-2009-003-1.6.0.diff.txt</a> | 1.6.0 |<br>
|----------------------------------------------------------------+-------|<br>
|<a href="http://downloads.digium.com/pub/asa/AST-2009-003-1.6.1.diff.txt" target="_blank">http://downloads.digium.com/pub/asa/AST-2009-003-1.6.1.diff.txt</a> | 1.6.1 |<br>
+------------------------------------------------------------------------+<br>
<br>
+------------------------------------------------------------------------+<br>
| Links | <a href="http://www.faqs.org/rfcs/rfc3261.html" target="_blank">http://www.faqs.org/rfcs/rfc3261.html</a> |<br>
+------------------------------------------------------------------------+<br>
<br>
+------------------------------------------------------------------------+<br>
| Asterisk Project Security Advisories are posted at |<br>
| <a href="http://www.asterisk.org/security" target="_blank">http://www.asterisk.org/security</a> |<br>
| |<br>
| This document may be superseded by later versions; if so, the latest |<br>
| version will be posted at |<br>
| <a href="http://downloads.digium.com/pub/security/AST-2009-003.pdf" target="_blank">http://downloads.digium.com/pub/security/AST-2009-003.pdf</a> and |<br>
| <a href="http://downloads.digium.com/pub/security/AST-2009-003.html" target="_blank">http://downloads.digium.com/pub/security/AST-2009-003.html</a> |<br>
+------------------------------------------------------------------------+<br>
<br>
+------------------------------------------------------------------------+<br>
| Revision History |<br>
|------------------------------------------------------------------------|<br>
| Date | Editor | Revisions Made |<br>
|-----------------+------------------------+-----------------------------|<br>
| 2009-04-02 | Tilghman Lesher | Initial release |<br>
+------------------------------------------------------------------------+<br>
<br>
Asterisk Project Security Advisory - AST-2009-003<br>
Copyright (c) 2009 Digium, Inc. All Rights Reserved.<br>
Permission is hereby granted to distribute and publish this advisory in its<br>
original, unaltered form.<br>
<br>
<br>
_______________________________________________<br>
--Bandwidth and Colocation Provided by <a href="http://www.api-digital.com--" target="_blank">http://www.api-digital.com--</a><br>
<br>
</div></div>asterisk-dev mailing list<br>
<div class="im">To UNSUBSCRIBE or update options visit:<br>
</div> <a href="http://lists.digium.com/mailman/listinfo/asterisk-dev" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-dev</a><br>
</div><br><br clear="all"><br>-- <br>Asterisk user number: 1099<br>Linux user: #443184<br><a href="http://shazaum.googlepages.com">shazaum.googlepages.com</a><br>