#VU12321 Information Exposure


Published: 2018-05-01

Vulnerability identifier: #VU12321

Vulnerability risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2008-3903

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Description
Asterisk Open Source 1.2.x before 1.2.32, 1.4.x before 1.4.24.1, and 1.6.0.x before 1.6.0.8; Asterisk Business Edition A.x.x, B.x.x before B.2.5.8, C.1.x.x before C.1.10.5, and C.2.x.x before C.2.3.3; s800i 1.3.x before 1.3.0.2; and Trixbox PBX 2.6.1, when Digest authentication and authalwaysreject are enabled, generates different responses depending on whether a SIP username is valid, which allows remote attackers to enumerate valid usernames.

Mitigation
Install update from vendor's website.

External links
http://downloads.asterisk.org/pub/security/AST-2009-003.html
http://misel.com/?p=52
http://security.gentoo.org/glsa/glsa-200905-01.xml
http://www.debian.org/security/2009/dsa-1952
http://www.securityfocus.com/bid/34353
http://www.vupen.com/english/advisories/2009/0933
http://exchange.xforce.ibmcloud.com/vulnerabilities/45059

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Debian update for asterisk