<div dir="ltr">PSC<br><div><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Asterisk Security Team</b> <span dir="ltr"><<a href="mailto:security@asterisk.org">security@asterisk.org</a>></span><br>
Date: 2013/3/27<br>Subject: [asterisk-dev] AST-2013-003: Username disclosure in SIP channel driver<br>To: <a href="mailto:asterisk-dev@lists.digium.com">asterisk-dev@lists.digium.com</a><br><br><br> Asterisk Project Security Advisory - AST-2013-003<br>
<br>
Product Asterisk<br>
Summary Username disclosure in SIP channel driver<br>
Nature of Advisory Unauthorized data disclosure<br>
Susceptibility Remote Unauthenticated Sessions<br>
Severity Moderate<br>
Exploits Known No<br>
Reported On January 30, 2013<br>
Reported By Walter Doekes, OSSO B.V.<br>
Posted On February 21, 2013<br>
Last Updated On March 27, 2013<br>
Advisory Contact Kinsey Moore <<a href="mailto:kmoore@digium.com">kmoore@digium.com</a>><br>
CVE Name CVE-2013-2264<br>
<br>
Description When authenticating via SIP with alwaysauthreject enabled,<br>
allowguest disabled, and autocreatepeer disabled, Asterisk<br>
discloses whether a user exists for INVITE, SUBSCRIBE, and<br>
REGISTER transactions in multiple ways.<br>
<br>
This information was disclosed:<br>
<br>
* when a "407 Proxy Authentication Required" response was<br>
sent instead of "401 Unauthorized" response.<br>
<br>
* due to the presence or absence of additional tags at the<br>
end of "403 Forbidden" such as "(Bad auth)".<br>
<br>
* when a "401 Unauthorized" response was sent instead of<br>
"403 Forbidden" response after a retransmission.<br>
<br>
* when retransmissions were sent when a matching peer did<br>
not exist, but were not when a matching peer did exist.<br>
<br>
Resolution This issue can only be mitigated by upgrading to versions of<br>
Asterisk that contain the patch or applying the patch.<br>
<br>
Affected Versions<br>
Product Release Series<br>
Asterisk Open Source 1.8.x All Versions<br>
Asterisk Open Source 10.x All Versions<br>
Asterisk Open Source 11.x All Versions<br>
Certified Asterisk 1.8.15 All Versions<br>
Asterisk Business Edition C.3.x All Versions<br>
Asterisk Digiumphones 10.x-digiumphones All Versions<br>
<br>
Corrected In<br>
Product Release<br>
Asterisk Open Source 1.8.20.2, 10.12.2, 11.2.2<br>
Asterisk Digiumphones 10.12.2-digiumphones<br>
Certified Asterisk 1.8.15-cert2<br>
Asterisk Business Edition C.3.8.1<br>
<br>
Patches<br>
SVN URL Revision<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2013-003-1.8.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2013-003-1.8.diff</a> Asterisk<br>
1.8<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2013-003-10.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2013-003-10.diff</a> Asterisk<br>
10<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2013-003-11.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2013-003-11.diff</a> Asterisk<br>
11<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2013-003-1.8.15-cert.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2013-003-1.8.15-cert.diff</a> Certified<br>
Asterisk<br>
1.8.15<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2013-003-C.3.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2013-003-C.3.diff</a> Asterisk<br>
BE C.3<br>
<br>
Links <a href="https://issues.asterisk.org/jira/browse/ASTERISK-21013" target="_blank">https://issues.asterisk.org/jira/browse/ASTERISK-21013</a><br>
<br>
Asterisk Project Security Advisories are posted at<br>
<a href="http://www.asterisk.org/security" target="_blank">http://www.asterisk.org/security</a><br>
<br>
This document may be superseded by later versions; if so, the latest<br>
version will be posted at<br>
<a href="http://downloads.digium.com/pub/security/AST-2013-003.pdf" target="_blank">http://downloads.digium.com/pub/security/AST-2013-003.pdf</a> and<br>
<a href="http://downloads.digium.com/pub/security/AST-2013-003.html" target="_blank">http://downloads.digium.com/pub/security/AST-2013-003.html</a><br>
<br>
Revision History<br>
Date Editor Revisions Made<br>
2013-02-20 Kinsey Moore Initial revision.<br>
2013-02-27 Kinsey Moore Added Asterisk BE patch information.<br>
2013-02-27 Kinsey Moore Corrected open source Asterisk versions.<br>
<br>
Asterisk Project Security Advisory - AST-2013-003<br>
Copyright (c) 2013 Digium, Inc. All Rights Reserved.<br>
Permission is hereby granted to distribute and publish this advisory in its<br>
original, unaltered form.<br>
<br>
<br>
--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-dev mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-dev" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-dev</a><br>
</div><br><br clear="all"><br>-- <br><span style="font-family:trebuchet ms,sans-serif">Sylvio Jollenbeck<br><font size="1"><a href="http://www.hosannatecnologia.com.br/" target="_blank">www.hosannatecnologia.com.br</a></font></span><br>
<img src="http://www.hosannatecnologia.com.br/pixel.fw.png"><br>
</div></div>