AST-2009-001: Information leak in IAX2 authentication Jan 08 2009 07:28PM
Asterisk Security Team (security asterisk org)
Asterisk Project Security Advisory - AST-2009-001

+-----------------------------------------------------------------------
-+
| Product | Asterisk |
|----------------------+------------------------------------------------
-|
| Summary | Information leak in IAX2 authentication |
|----------------------+------------------------------------------------
-|
| Nature of Advisory | Unauthorized data disclosure |
|----------------------+------------------------------------------------
-|
| Susceptibility | Remote Unauthenticated Sessions |
|----------------------+------------------------------------------------
-|
| Severity | Minor |
|----------------------+------------------------------------------------
-|
| Exploits Known | Yes |
|----------------------+------------------------------------------------
-|
| Reported On | October 15, 2008 |
|----------------------+------------------------------------------------
-|
| Reported By | http://www.unprotectedhex.com |
|----------------------+------------------------------------------------
-|
| Posted On | January 7, 2009 |
|----------------------+------------------------------------------------
-|
| Last Updated On | January 7, 2009 |
|----------------------+------------------------------------------------
-|
| Advisory Contact | Tilghman Lesher < tlesher AT digium DOT com > |
|----------------------+------------------------------------------------
-|
| CVE Name | CVE-2009-0041 |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Description | IAX2 provides a different response during authentication |
| | when a user does not exist, as compared to when the |
| | password is merely wrong. This allows an attacker to |
| | scan a host to find specific users on which to |
| | concentrate password cracking attempts. |
| | |
| | The workaround involves sending back responses that are |
| | valid for that particular site. For example, if it were |
| | known that a site only uses RSA authentication, then |
| | sending back an MD5 authentication request would |
| | similarly identify the user as not existing. The |
| | opposite is also true. So the solution is always to send |
| | back an authentication response that corresponds to a |
| | known frequency with which real authentication responses |
| | are returned, when the user does not exist. This makes |
| | it very difficult for an attacker to guess whether a |
| | user exists or not, based upon this particular |
| | mechanism. |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Resolution | Upgrade to revision 167259 of the 1.2 branch or 167260 of |
| | the 1.4 branch or one of the releases noted below. |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Affected Versions |
|-----------------------------------------------------------------------
-|
| Product | Release | |
| | Series | |
|----------------------------+---------+--------------------------------
-|
| Asterisk Open Source | 1.2.x | All version prior to 1.2.31 |
|----------------------------+---------+--------------------------------
-|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.23-rc4 |
|----------------------------+---------+--------------------------------
-|
| Asterisk Open Source | 1.6.x | All versions prior to |
| | | 1.6.0.3-rc2 |
|----------------------------+---------+--------------------------------
-|
| Asterisk Addons | 1.2.x | Not affected |
|----------------------------+---------+--------------------------------
-|
| Asterisk Addons | 1.4.x | Not affected |
|----------------------------+---------+--------------------------------
-|
| Asterisk Addons | 1.6.x | Not affected |
|----------------------------+---------+--------------------------------
-|
| Asterisk Business Edition | A.x.x | All versions |
|----------------------------+---------+--------------------------------
-|
| Asterisk Business Edition | B.x.x | All versions prior to B.2.5.7 |
|----------------------------+---------+--------------------------------
-|
| Asterisk Business Edition | C.1.x.x | All versions prior to C.1.10.4 |
|----------------------------+---------+--------------------------------
-|
| Asterisk Business Edition | C.2.x.x | All versions prior to C.2.1.2.1 |
|----------------------------+---------+--------------------------------
-|
| AsteriskNOW | 1.5 | Not affected |
|----------------------------+---------+--------------------------------
-|
| s800i (Asterisk Appliance) | 1.2.x | All versions prior to 1.3.0 |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Corrected In |
|-----------------------------------------------------------------------
-|
| Product | Release |
|--------------------------------------------+--------------------------
-|
| Asterisk Open Source | 1.2.31 |
|--------------------------------------------+--------------------------
-|
| Asterisk Open Source | 1.4.22.1 |
|--------------------------------------------+--------------------------
-|
| Asterisk Open Source | 1.6.0.3 |
|--------------------------------------------+--------------------------
-|
| Asterisk Business Edition | B.2.5.7 |
|--------------------------------------------+--------------------------
-|
| Asterisk Business Edition | C.1.10.4 |
|--------------------------------------------+--------------------------
-|
| Asterisk Business Edition | C.2.1.2.1 |
|--------------------------------------------+--------------------------
-|
| s800i (Asterisk Appliance) | 1.3.0 |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Patches |
|-----------------------------------------------------------------------
-|
| URL |Branch|
|-----------------------------------------------------------------+-----
-|
|http://downloads.digium.com/pub/security/AST-2009-001-1.2.diff |1.2 |
|-----------------------------------------------------------------+-----
-|
|http://downloads.digium.com/pub/security/AST-2009-001-1.4.diff |1.4 |
|-----------------------------------------------------------------+-----
-|
|http://downloads.digium.com/pub/security/AST-2009-001-1.6.0.diff |1.6.0 |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Links | http://code.google.com/p/iaxscan/ |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2009-001.pdf and |
| http://downloads.digium.com/pub/security/AST-2009-001.html |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Revision History |
|-----------------------------------------------------------------------
-|
| Date | Editor | Revisions Made |
|-----------------+------------------------+----------------------------
-|
| 2009-01-07 | Tilghman Lesher | Initial release |
+-----------------------------------------------------------------------
-+

Asterisk Project Security Advisory - AST-2009-001
Copyright (c) 2009 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus