Vigil@nce : Asterisk, user detection via REGISTER
mai 2011 par Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can use the REGISTER method, in order to detect if a
username is valid.
– Severity : 1/4
– Creation date : 30/05/2011
IMPACTED PRODUCTS
– Asterisk Open Source
DESCRIPTION OF THE VULNERABILITY
The "alwaysauthreject" directive of Asterisk indicates to return
the "401 Unauthorized" error message for most authentication
errors.
When "alwaysauthreject" is unset, all error messages are
different, so users can be detected.
When "alwaysauthreject" is enabled, the SIP REGISTER method should
be protected. However, the REGISTER method is not protected :
- if the username is valid and the password is invalid, Asterisk
returns a timeout error
- if the username is invalid, Asterisk returns "407 Proxy
Authentication Required"
An attacker can therefore use the REGISTER method even if
"alwaysauthreject" is enabled, in order to detect if a username is
valid.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Asterisk-user-detection-via-REGISTER-10691