Asterisk Discloses Whether User Accounts Are Valid to Remote Users
|
|
SecurityTracker Alert ID: 1021549
|
|
SecurityTracker URL: http://securitytracker.com/id?1021549
|
|
CVE Reference: CVE-2009-0041
(Links to External Site)
|
Date: Jan 9 2009
|
Impact: Disclosure of system information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 1.2.x prior to 1.2.31, 1.4.x prior to 1.4.23-rc4, 1.6.x prior to 1.6.0.3-rc2
|
Description: A vulnerability was reported in Asterisk. A remote user can determine valid user accounts on the target system.
The IAX2 service responds differently to valid and invalid authentication attempts. A remote user can determine whether the specified
user name exists on the target system or not.
The vendor was notified on October 15, 2008.
unprotectedhex.com reported this
vulnerability.
|
Impact: A remote user can determine valid user accounts on the target system.
|
Solution: The vendor has issued a fix (1.2.31, 1.4.22.1, 1.6.0.3).
The vendor's advisory is available at:
http://downloads.digium.com/pub/security/AST-2009-001.html
|
Vendor URL: downloads.digium.com/pub/security/AST-2009-001.html (Links to External Site)
|
Cause: Access control error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 8 Jan 2009 19:09:51 -0500
Subject: Asterisk Project Security Advisory - AST-2009-001
|
http://downloads.digium.com/pub/security/AST-2009-001.html
CVE-2009-0041
|
|
