TUCoPS :: Asterisk :: va2243.htm

IAX2 Information leak in IAX2 authentication
AST-2009-001: Information leak in IAX2 authentication
AST-2009-001: Information leak in IAX2 authentication



               Asterisk Project Security Advisory - AST-2009-001

   +------------------------------------------------------------------------+
   |       Product        | Asterisk                                        |
   |----------------------+-------------------------------------------------|
   |       Summary        | Information leak in IAX2 authentication         |
   |----------------------+-------------------------------------------------|
   |  Nature of Advisory  | Unauthorized data disclosure                    |
   |----------------------+-------------------------------------------------|
   |    Susceptibility    | Remote Unauthenticated Sessions                 |
   |----------------------+-------------------------------------------------|
   |       Severity       | Minor                                           |
   |----------------------+-------------------------------------------------|
   |    Exploits Known    | Yes                                             |
   |----------------------+-------------------------------------------------|
   |     Reported On      | October 15, 2008                                |
   |----------------------+-------------------------------------------------|
| Reported By | http://www.unprotectedhex.com | 
   |----------------------+-------------------------------------------------|
   |      Posted On       | January 7, 2009                                 |
   |----------------------+-------------------------------------------------|
   |   Last Updated On    | January 7, 2009                                 |
   |----------------------+-------------------------------------------------|
   |   Advisory Contact   | Tilghman Lesher < tlesher AT digium DOT com >   |
   |----------------------+-------------------------------------------------|
   |       CVE Name       | CVE-2009-0041                                   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | IAX2 provides a different response during authentication |
   |             | when a user does not exist, as compared to when the      |
   |             | password is merely wrong. This allows an attacker to     |
   |             | scan a host to find specific users on which to           |
   |             | concentrate password cracking attempts.                  |
   |             |                                                          |
   |             | The workaround involves sending back responses that are  |
   |             | valid for that particular site. For example, if it were  |
   |             | known that a site only uses RSA authentication, then     |
   |             | sending back an MD5 authentication request would         |
   |             | similarly identify the user as not existing. The         |
   |             | opposite is also true. So the solution is always to send |
   |             | back an authentication response that corresponds to a    |
   |             | known frequency with which real authentication responses |
   |             | are returned, when the user does not exist. This makes   |
   |             | it very difficult for an attacker to guess whether a     |
   |             | user exists or not, based upon this particular           |
   |             | mechanism.                                               |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | Upgrade to revision 167259 of the 1.2 branch or 167260 of |
   |            | the 1.4 branch or one of the releases noted below.        |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           | Release |                                 |
   |                            | Series  |                                 |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.2.x  | All version prior to 1.2.31     |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.4.x  | All versions prior to           |
   |                            |         | 1.4.23-rc4                      |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.6.x  | All versions prior to           |
   |                            |         | 1.6.0.3-rc2                     |
   |----------------------------+---------+---------------------------------|
   |      Asterisk Addons       |  1.2.x  | Not affected                    |
   |----------------------------+---------+---------------------------------|
   |      Asterisk Addons       |  1.4.x  | Not affected                    |
   |----------------------------+---------+---------------------------------|
   |      Asterisk Addons       |  1.6.x  | Not affected                    |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  A.x.x  | All versions                    |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  B.x.x  | All versions prior to B.2.5.7   |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  | C.1.x.x | All versions prior to C.1.10.4  |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  | C.2.x.x | All versions prior to C.2.1.2.1 |
   |----------------------------+---------+---------------------------------|
   |        AsteriskNOW         |   1.5   | Not affected                    |
   |----------------------------+---------+---------------------------------|
   | s800i (Asterisk Appliance) |  1.2.x  | All versions prior to 1.3.0     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                  Product                   |          Release          |
   |--------------------------------------------+---------------------------|
   |            Asterisk Open Source            |          1.2.31           |
   |--------------------------------------------+---------------------------|
   |            Asterisk Open Source            |         1.4.22.1          |
   |--------------------------------------------+---------------------------|
   |            Asterisk Open Source            |          1.6.0.3          |
   |--------------------------------------------+---------------------------|
   |         Asterisk Business Edition          |          B.2.5.7          |
   |--------------------------------------------+---------------------------|
   |         Asterisk Business Edition          |         C.1.10.4          |
   |--------------------------------------------+---------------------------|
   |         Asterisk Business Edition          |         C.2.1.2.1         |
   |--------------------------------------------+---------------------------|
   |         s800i (Asterisk Appliance)         |           1.3.0           |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                                Patches                                 |
   |------------------------------------------------------------------------|
   |                               URL                               |Branch|
   |-----------------------------------------------------------------+------|
|http://downloads.digium.com/pub/security/AST-2009-001-1.2.diff |1.2 | 
   |-----------------------------------------------------------------+------|
|http://downloads.digium.com/pub/security/AST-2009-001-1.4.diff |1.4 | 
   |-----------------------------------------------------------------+------|
|http://downloads.digium.com/pub/security/AST-2009-001-1.6.0.diff |1.6.0 | 
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
| Links | http://code.google.com/p/iaxscan/ | 
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
| http://www.asterisk.org/security | 
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
| http://downloads.digium.com/pub/security/AST-2009-001.pdf and | 
| http://downloads.digium.com/pub/security/AST-2009-001.html | 
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |      Date       |         Editor         |       Revisions Made        |
   |-----------------+------------------------+-----------------------------|
   | 2009-01-07      | Tilghman Lesher        | Initial release             |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2009-001
              Copyright (c) 2009 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH