AST-2009-003: SIP responses expose valid usernames
Asterisk Project Security Advisory - AST-2009-003
+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | SIP responses expose valid usernames |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Information leak |
|--------------------+---------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------+---------------------------------------------------|
| Severity | Minor |
|--------------------+---------------------------------------------------|
| Exploits Known | No |
|--------------------+---------------------------------------------------|
| Reported On | February 23, 2009 |
|--------------------+---------------------------------------------------|
| Reported By | Gentoo Linux Project: Kerin Millar ( kerframil on |
| | irc.freenode.net ) and Fergal Glynn < FGlynn AT |
| | veracode DOT com > |
|--------------------+---------------------------------------------------|
| Posted On | April 2, 2009 |
|--------------------+---------------------------------------------------|
| Last Updated On | April 2, 2009 |
|--------------------+---------------------------------------------------|
| Advisory Contact | Tilghman Lesher < tlesher AT digium DOT com > |
|--------------------+---------------------------------------------------|
| CVE Name | CVE-2008-3903 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | In 2006, the Asterisk maintainers made it more difficult |
| | to scan for valid SIP usernames by implementing an |
| | option called "alwaysauthreject", which should return a |
| | 401 error on all replies which are generated for users |
| | which do not exist. While this was sufficient at the |
| | time, due to ever increasing compliance with RFC 3261, |
| | the SIP specification, that is no longer sufficient as a |
| | means towards preventing attackers from checking |
| | responses to verify whether a SIP account exists on a |
| | machine. |
| | |
| | What we have done is to carefully emulate exactly the |
| | same responses throughout possible dialogs, which should |
| | prevent attackers from gleaning this information. All |
| | invalid users, if this option is turned on, will receive |
| | the same response throughout the dialog, as if a |
| | username was valid, but the password was incorrect. |
| | |
| | It is important to note several things. First, this |
| | vulnerability is derived directly from the SIP |
| | specification, and it is a technical violation of RFC |
| | 3261 (and subsequent RFCs, as of this date), for us to |
| | return these responses. Second, this attack is made much |
| | more difficult if administrators avoided creating |
| | all-numeric usernames and especially all-numeric |
| | passwords. This combination is extremely vulnerable for |
| | servers connected to the public Internet, even with this |
| | patch in place. While it may make configuring SIP |
| | telephones easier in the short term, it has the |
| | potential to cause grief over the long term. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | Upgrade to one of the versions below, or apply one of the |
| | patches specified in the Patches section. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+------------+------------------------------|
| Asterisk Open Source | 1.2.x | All versions prior to 1.2.32 |
|----------------------------+------------+------------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.24.1 |
|----------------------------+------------+------------------------------|
| Asterisk Open Source | 1.6.0.x | All versions prior to |
| | | 1.6.0.8 |
|----------------------------+------------+------------------------------|
| Asterisk Addons | 1.2.x | Not affected |
|----------------------------+------------+------------------------------|
| Asterisk Addons | 1.4.x | Not affected |
|----------------------------+------------+------------------------------|
| Asterisk Addons | 1.6.x | Not affected |
|----------------------------+------------+------------------------------|
| Asterisk Business Edition | A.x.x | All versions |
|----------------------------+------------+------------------------------|
| Asterisk Business Edition | B.x.x | All versions prior to |
| | | B.2.5.8 |
|----------------------------+------------+------------------------------|
| Asterisk Business Edition | C.1.x.x | All versions prior to |
| | | C.1.10.5 |
|----------------------------+------------+------------------------------|
| Asterisk Business Edition | C.2.x.x | All versions prior to |
| | | C.2.3.3 |
|----------------------------+------------+------------------------------|
| AsteriskNOW | 1.5 | Not affected |
|----------------------------+------------+------------------------------|
| s800i (Asterisk Appliance) | 1.3.x | All versions prior to |
| | | 1.3.0.2 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|---------------------------------------------+--------------------------|
| Asterisk Open Source | 1.2.32 |
|---------------------------------------------+--------------------------|
| Asterisk Open Source | 1.4.24.1 |
|---------------------------------------------+--------------------------|
| Asterisk Open Source | 1.6.0.8 |
|---------------------------------------------+--------------------------|
| Asterisk Business Edition | B.2.5.8 |
|---------------------------------------------+--------------------------|
| Asterisk Business Edition | C.1.10.5 |
|---------------------------------------------+--------------------------|
| Asterisk Business Edition | C.2.3.3 |
|---------------------------------------------+--------------------------|
| s800i (Asterisk Appliance) | 1.3.0.2 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Patches |
|------------------------------------------------------------------------|
| Patch URL |Version|
|----------------------------------------------------------------+-------|
|http://downloads.digium.com/pub/asa/AST-2009-003-1.2.diff.txt | 1.2 |
|----------------------------------------------------------------+-------|
|http://downloads.digium.com/pub/asa/AST-2009-003-1.4.diff.txt | 1.4 |
|----------------------------------------------------------------+-------|
|http://downloads.digium.com/pub/asa/AST-2009-003-1.6.0.diff.txt | 1.6.0 |
|----------------------------------------------------------------+-------|
|http://downloads.digium.com/pub/asa/AST-2009-003-1.6.1.diff.txt | 1.6.1 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | http://www.faqs.org/rfcs/rfc3261.html |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2009-003.pdf and |
| http://downloads.digium.com/pub/security/AST-2009-003.html |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|-----------------+------------------------+-----------------------------|
| 2009-04-02 | Tilghman Lesher | Initial release |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - AST-2009-003
Copyright (c) 2009 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.