Vigil@nce - Asterisk: username detection
April 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can observe SIP error messages, in order to detect if
a username is valid.
Impacted products: Asterisk Open Source, Fedora, MBS
Severity: 2/4
Creation date: 28/03/2013
DESCRIPTION OF THE VULNERABILITY
The Asterisk service can be configured with:
– alwaysauthreject enabled
– allowguest disabled
– autocreatepeer disabled
However, in this configuration, authentication error messages (for
SIP INVITE, SUBSCRIBE and REGISTER) are different whether the
username exists or not.
An attacker can therefore observe SIP error messages, in order to
detect if a username is valid.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Asterisk-username-detection-12589