Vigil@nce: Asterisk, user detection
April 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can examine error messages in order to detect if a
username is valid.
Severity: 1/4
Consequences: data reading
Provenance: internet client
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 03/04/2009
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The "alwaysauthreject" directive of Asterisk indicates to return
the "401 Unauthorized" error message for most authentication
errors.
When "alwaysauthreject" is enabled:
– if the username is valid and the password is invalid, Asterisk
returns "407 Proxy Authentication Required"
– if the username is invalid, Asterisk returns "401 Unauthorized"
When "alwaysauthreject" is unset, all error messages are different.
In both cases, an attacker can therefore examine error messages in
order to detect if a username is valid.
CHARACTERISTICS
Identifiers: AST-2009-003, BID-34353, CVE-2008-3903,
VIGILANCE-VUL-8597
http://vigilance.fr/vulnerability/Asterisk-user-detection-8597