#VU12323 Information Exposure


Published: 2018-05-01

Vulnerability identifier: #VU12323

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2009-3727

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Description
Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, 1.6.0.x before 1.6.0.17, and 1.6.1.x before 1.6.1.9; Business Edition A.x.x, B.x.x before B.2.5.12, C.2.x.x before C.2.4.5, and C.3.x.x before C.3.2.2; AsteriskNOW 1.5; and s800i 1.3.x before 1.3.0.5 generate different error messages depending on whether a SIP username is valid, which allows remote attackers to enumerate valid usernames via multiple crafted REGISTER messages with inconsistent usernames in the URI in the To header and the Digest in the Authorization header.

Mitigation
Install update from vendor's website.

External links
http://www.securityfocus.com/bid/36924
http://www.redhat.com/archives/fedora-package-announce/2009-November/msg00838.html
http://www.redhat.com/archives/fedora-package-announce/2009-November/msg00789.html
http://bugzilla.redhat.com/show_bug.cgi?id=533137
http://bugzilla.redhat.com/show_bug.cgi?id=523277
http://www.securitytracker.com/id?1023133
http://www.debian.org/security/2009/dsa-1952
http://osvdb.org/59697
http://downloads.asterisk.org/pub/security/AST-2009-008.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Debian update for asterisk