This bulletin was written by Vigil@nce : http://vigilance.fr/

SYNTHESIS OF THE VULNERABILITY

An attacker can use the REGISTER method, in order to detect if a
username is valid.

– Severity : 1/4
– Creation date : 30/05/2011

IMPACTED PRODUCTS

– Asterisk Open Source

DESCRIPTION OF THE VULNERABILITY

The "alwaysauthreject" directive of Asterisk indicates to return
the "401 Unauthorized" error message for most authentication
errors.

When "alwaysauthreject" is unset, all error messages are
different, so users can be detected.

When "alwaysauthreject" is enabled, the SIP REGISTER method should
be protected. However, the REGISTER method is not protected :
- if the username is valid and the password is invalid, Asterisk
returns a timeout error
- if the username is invalid, Asterisk returns "407 Proxy
Authentication Required"

An attacker can therefore use the REGISTER method even if
"alwaysauthreject" is enabled, in order to detect if a username is
valid.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/Asterisk-user-detection-via-REGISTER-10691