<<< Date Index >>>     <<< Thread Index >>>

AST-2009-003: SIP responses expose valid usernames



               Asterisk Project Security Advisory - AST-2009-003

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | SIP responses expose valid usernames              |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Information leak                                  |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote Unauthenticated Sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Minor                                             |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | February 23, 2009                                 |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Gentoo Linux Project: Kerin Millar ( kerframil on |
   |                    | irc.freenode.net ) and Fergal Glynn < FGlynn AT   |
   |                    | veracode DOT com >                                |
   |--------------------+---------------------------------------------------|
   |     Posted On      | April 2, 2009                                     |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | April 2, 2009                                     |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Tilghman Lesher < tlesher AT digium DOT com >     |
   |--------------------+---------------------------------------------------|
   |      CVE Name      | CVE-2008-3903                                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | In 2006, the Asterisk maintainers made it more difficult |
   |             | to scan for valid SIP usernames by implementing an       |
   |             | option called "alwaysauthreject", which should return a  |
   |             | 401 error on all replies which are generated for users   |
   |             | which do not exist. While this was sufficient at the     |
   |             | time, due to ever increasing compliance with RFC 3261,   |
   |             | the SIP specification, that is no longer sufficient as a |
   |             | means towards preventing attackers from checking         |
   |             | responses to verify whether a SIP account exists on a    |
   |             | machine.                                                 |
   |             |                                                          |
   |             | What we have done is to carefully emulate exactly the    |
   |             | same responses throughout possible dialogs, which should |
   |             | prevent attackers from gleaning this information. All    |
   |             | invalid users, if this option is turned on, will receive |
   |             | the same response throughout the dialog, as if a         |
   |             | username was valid, but the password was incorrect.      |
   |             |                                                          |
   |             | It is important to note several things. First, this      |
   |             | vulnerability is derived directly from the SIP           |
   |             | specification, and it is a technical violation of RFC    |
   |             | 3261 (and subsequent RFCs, as of this date), for us to   |
   |             | return these responses. Second, this attack is made much |
   |             | more difficult if administrators avoided creating        |
   |             | all-numeric usernames and especially all-numeric         |
   |             | passwords. This combination is extremely vulnerable for  |
   |             | servers connected to the public Internet, even with this |
   |             | patch in place. While it may make configuring SIP        |
   |             | telephones easier in the short term, it has the          |
   |             | potential to cause grief over the long term.             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | Upgrade to one of the versions below, or apply one of the |
   |            | patches specified in the Patches section.                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           |  Release   |                              |
   |                            |   Series   |                              |
   |----------------------------+------------+------------------------------|
   |    Asterisk Open Source    |   1.2.x    | All versions prior to 1.2.32 |
   |----------------------------+------------+------------------------------|
   |    Asterisk Open Source    |   1.4.x    | All versions prior to        |
   |                            |            | 1.4.24.1                     |
   |----------------------------+------------+------------------------------|
   |    Asterisk Open Source    |  1.6.0.x   | All versions prior to        |
   |                            |            | 1.6.0.8                      |
   |----------------------------+------------+------------------------------|
   |      Asterisk Addons       |   1.2.x    | Not affected                 |
   |----------------------------+------------+------------------------------|
   |      Asterisk Addons       |   1.4.x    | Not affected                 |
   |----------------------------+------------+------------------------------|
   |      Asterisk Addons       |   1.6.x    | Not affected                 |
   |----------------------------+------------+------------------------------|
   | Asterisk Business Edition  |   A.x.x    | All versions                 |
   |----------------------------+------------+------------------------------|
   | Asterisk Business Edition  |   B.x.x    | All versions prior to        |
   |                            |            | B.2.5.8                      |
   |----------------------------+------------+------------------------------|
   | Asterisk Business Edition  |  C.1.x.x   | All versions prior to        |
   |                            |            | C.1.10.5                     |
   |----------------------------+------------+------------------------------|
   | Asterisk Business Edition  |  C.2.x.x   | All versions prior to        |
   |                            |            | C.2.3.3                      |
   |----------------------------+------------+------------------------------|
   |        AsteriskNOW         |    1.5     | Not affected                 |
   |----------------------------+------------+------------------------------|
   | s800i (Asterisk Appliance) |   1.3.x    | All versions prior to        |
   |                            |            | 1.3.0.2                      |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                   Product                   |         Release          |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |          1.2.32          |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |         1.4.24.1         |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |         1.6.0.8          |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         B.2.5.8          |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         C.1.10.5         |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         C.2.3.3          |
   |---------------------------------------------+--------------------------|
   |         s800i (Asterisk Appliance)          |         1.3.0.2          |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                                Patches                                 |
   |------------------------------------------------------------------------|
   |                           Patch URL                            |Version|
   |----------------------------------------------------------------+-------|
   |http://downloads.digium.com/pub/asa/AST-2009-003-1.2.diff.txt   |  1.2  |
   |----------------------------------------------------------------+-------|
   |http://downloads.digium.com/pub/asa/AST-2009-003-1.4.diff.txt   |  1.4  |
   |----------------------------------------------------------------+-------|
   |http://downloads.digium.com/pub/asa/AST-2009-003-1.6.0.diff.txt | 1.6.0 |
   |----------------------------------------------------------------+-------|
   |http://downloads.digium.com/pub/asa/AST-2009-003-1.6.1.diff.txt | 1.6.1 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |       Links        | http://www.faqs.org/rfcs/rfc3261.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2009-003.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2009-003.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |      Date       |         Editor         |       Revisions Made        |
   |-----------------+------------------------+-----------------------------|
   | 2009-04-02      | Tilghman Lesher        | Initial release             |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2009-003
              Copyright (c) 2009 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.