Lucene search
SecurityvulnsSECURITYVULNS:DOC:29222HistoryApr 01, 2013 - 12:00 a.m.
AST-2013-003: Username disclosure in SIP channel driver
2013-04-0100:00:00
vulners.com
18
Asterisk Project Security Advisory - AST-2013-003
Product Asterisk
Summary Username disclosure in SIP channel driver
Nature of Advisory Unauthorized data disclosure
Susceptibility Remote Unauthenticated Sessions
Severity Moderate
Exploits Known No
Reported On January 30, 2013
Reported By Walter Doekes, OSSO B.V.
Posted On February 21, 2013
Last Updated On March 27, 2013
Advisory Contact Kinsey Moore <[email protected]>
CVE Name CVE-2013-2264
Description When authenticating via SIP with alwaysauthreject enabled,
allowguest disabled, and autocreatepeer disabled, Asterisk
discloses whether a user exists for INVITE, SUBSCRIBE, and
REGISTER transactions in multiple ways.
This information was disclosed:
* when a "407 Proxy Authentication Required" response was
sent instead of "401 Unauthorized" response.
* due to the presence or absence of additional tags at the
end of "403 Forbidden" such as "(Bad auth)".
* when a "401 Unauthorized" response was sent instead of
"403 Forbidden" response after a retransmission.
* when retransmissions were sent when a matching peer did
not exist, but were not when a matching peer did exist.
Resolution This issue can only be mitigated by upgrading to versions of
Asterisk that contain the patch or applying the patch.
Affected Versions
Product Release Series
Asterisk Open Source 1.8.x All Versions
Asterisk Open Source 10.x All Versions
Asterisk Open Source 11.x All Versions
Certified Asterisk 1.8.15 All Versions
Asterisk Business Edition C.3.x All Versions
Asterisk Digiumphones 10.x-digiumphones All Versions
Corrected In
Product Release
Asterisk Open Source 1.8.20.2, 10.12.2, 11.2.2
Asterisk Digiumphones 10.12.2-digiumphones
Certified Asterisk 1.8.15-cert2
Asterisk Business Edition C.3.8.1
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2013-003-1.8.diff Asterisk
1.8
http://downloads.asterisk.org/pub/security/AST-2013-003-10.diff Asterisk
10
http://downloads.asterisk.org/pub/security/AST-2013-003-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2013-003-1.8.15-cert.diff Certified
Asterisk
1.8.15
http://downloads.asterisk.org/pub/security/AST-2013-003-C.3.diff Asterisk
BE C.3
Links https://issues.asterisk.org/jira/browse/ASTERISK-21013
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2013-003.pdf and
http://downloads.digium.com/pub/security/AST-2013-003.html
Revision History
Date Editor Revisions Made
2013-02-20 Kinsey Moore Initial revision.
2013-02-27 Kinsey Moore Added Asterisk BE patch information.
2013-02-27 Kinsey Moore Corrected open source Asterisk versions.
Asterisk Project Security Advisory - AST-2013-003
Copyright (c) 2013 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Related
debiancve
debiancve
CVE-2013-2264
2013-04-01 16:55:00
nessus
nessus
Asterisk SIP Channel Driver Username Disclosure (AST-2013-003)
2013-04-10 00:00:00
Fedora 17 : asterisk-10.12.2-1.fc17 (2013-4528)
2013-04-08 00:00:00
cve
cve
CVE-2013-2264
2013-04-01 16:55:00
ubuntucve
ubuntucve
CVE-2013-2264
2013-04-01 00:00:00
prion
prion
Code injection
2013-04-01 16:55:00
fedora
fedora
[SECURITY] Fedora 17 Update: asterisk-10.12.2-1.fc17
2013-04-07 00:44:42
openvas
openvas
Fedora Update for asterisk FEDORA-2013-4528
2013-04-08 00:00:00
Fedora Update for asterisk FEDORA-2013-4528
2013-04-08 00:00:00
Gentoo Security Advisory GLSA 201401-15
2015-09-29 00:00:00
freebsd
freebsd
asterisk -- multiple vulnerabilities
2013-03-27 00:00:00
securityvulns
securityvulns
Asterisk multiple security vulnerabilities
2013-04-01 00:00:00
gentoo
gentoo
Asterisk: Multiple vulnerabilities
2014-01-21 00:00:00
Related for SECURITYVULNS:DOC:29222