|Summary:||ASTERISK-12892: [patch] AST-2009-001|
|Reporter:||Tilghman Lesher (tilghman)||Labels:|
|Date Opened:||2008-10-14 16:09:39||Date Closed:||2009-01-07 16:31:08.000-0600|
|Environment:||Attachments:||( 0) 20081015__bug13693__1.2.diff.txt|
( 1) 20081015__bug13693__1.4.diff.txt
|Description:||Possible security issue:|
Asterisk returns a different answer when a user does not exist as compared to a user who has not yet successfully authenticated (with the REGAUTH command). This amounts to information leakage, allowing an attacker to scan an Asterisk machine for a list of users. Once a list of users has been obtained, the attacker can proceed to run a password attack.
If, instead, we provide a similar response to an invalid user, it makes the attacker's job (finding a valid user/password combination) much more difficult.
|Comments:||By: Jason Parker (jparker) 2008-10-14 17:33:36|
Don't do that then.
By: Jason Parker (jparker) 2008-10-14 17:34:16
(sorry, the urge came over me to comment on the summary)
By: Tilghman Lesher (tilghman) 2008-10-15 17:00:34
By: Russell Bryant (russell) 2008-10-20 21:24:13
patch looks good