| Summary: | ASTERISK-12892: [patch] AST-2009-001 | ||
| Reporter: | Tilghman Lesher (tilghman) | Labels: | |
| Date Opened: | 2008-10-14 16:09:39 | Date Closed: | 2009-01-07 16:31:08.000-0600 |
| Priority: | Minor | Regression? | No |
| Status: | Closed/Complete | Components: | Channels/chan_iax2 |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ( 0) 20081015__bug13693__1.2.diff.txt ( 1) 20081015__bug13693__1.4.diff.txt | |
| Description: | Possible security issue: Asterisk returns a different answer when a user does not exist as compared to a user who has not yet successfully authenticated (with the REGAUTH command). This amounts to information leakage, allowing an attacker to scan an Asterisk machine for a list of users. Once a list of users has been obtained, the attacker can proceed to run a password attack. If, instead, we provide a similar response to an invalid user, it makes the attacker's job (finding a valid user/password combination) much more difficult. | ||
| Comments: | By: Jason Parker (jparker) 2008-10-14 17:33:36 Don't do that then. By: Jason Parker (jparker) 2008-10-14 17:34:16 (sorry, the urge came over me to comment on the summary) By: Tilghman Lesher (tilghman) 2008-10-15 17:00:34 Patches refreshed. By: Russell Bryant (russell) 2008-10-20 21:24:13 patch looks good | ||