Summary:ASTERISK-12892: [patch] AST-2009-001
Reporter:Tilghman Lesher (tilghman)Labels:
Date Opened:2008-10-14 16:09:39Date Closed:2009-01-07 16:31:08.000-0600
Versions:Frequency of
Environment:Attachments:( 0) 20081015__bug13693__1.2.diff.txt
( 1) 20081015__bug13693__1.4.diff.txt
Description:Possible security issue:

Asterisk returns a different answer when a user does not exist as compared to a user who has not yet successfully authenticated (with the REGAUTH command).  This amounts to information leakage, allowing an attacker to scan an Asterisk machine for a list of users.  Once a list of users has been obtained, the attacker can proceed to run a password attack.

If, instead, we provide a similar response to an invalid user, it makes the attacker's job (finding a valid user/password combination) much more difficult.
Comments:By: Jason Parker (jparker) 2008-10-14 17:33:36

Don't do that then.

By: Jason Parker (jparker) 2008-10-14 17:34:16

(sorry, the urge came over me to comment on the summary)

By: Tilghman Lesher (tilghman) 2008-10-15 17:00:34

Patches refreshed.

By: Russell Bryant (russell) 2008-10-20 21:24:13

patch looks good