Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0460
Asterisk Project Security Advisory - AST-2013-003
2 April 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Asterisk Open Source
Certified Asterisk
Asterisk Business Edition
Asterisk Digiumphones
Publisher: Digium
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-2264
Original Bulletin:
http://downloads.digium.com/pub/security/AST-2013-003.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Asterisk Project Security Advisory - AST-2013-003
Product Asterisk
Summary Username disclosure in SIP channel driver
Nature of Advisory Unauthorized data disclosure
Susceptibility Remote Unauthenticated Sessions
Severity Moderate
Exploits Known No
Reported On January 30, 2013
Reported By Walter Doekes, OSSO B.V.
Posted On February 21, 2013
Last Updated On March 27, 2013
Advisory Contact Kinsey Moore <kmoore@digium.com>
CVE Name CVE-2013-2264
Description When authenticating via SIP with alwaysauthreject enabled,
allowguest disabled, and autocreatepeer disabled, Asterisk
discloses whether a user exists for INVITE, SUBSCRIBE, and
REGISTER transactions in multiple ways.
This information was disclosed:
* when a "407 Proxy Authentication Required" response was
sent instead of "401 Unauthorized" response.
* due to the presence or absence of additional tags at the
end of "403 Forbidden" such as "(Bad auth)".
* when a "401 Unauthorized" response was sent instead of
"403 Forbidden" response after a retransmission.
* when retransmissions were sent when a matching peer did
not exist, but were not when a matching peer did exist.
Resolution This issue can only be mitigated by upgrading to versions of
Asterisk that contain the patch or applying the patch.
Affected Versions
Product Release Series
Asterisk Open Source 1.8.x All Versions
Asterisk Open Source 10.x All Versions
Asterisk Open Source 11.x All Versions
Certified Asterisk 1.8.15 All Versions
Asterisk Business Edition C.3.x All Versions
Asterisk Digiumphones 10.x-digiumphones All Versions
Corrected In
Product Release
Asterisk Open Source 1.8.20.2, 10.12.2, 11.2.2
Asterisk Digiumphones 10.12.2-digiumphones
Certified Asterisk 1.8.15-cert2
Asterisk Business Edition C.3.8.1
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2013-003-1.8.diff Asterisk
1.8
http://downloads.asterisk.org/pub/security/AST-2013-003-10.diff Asterisk
10
http://downloads.asterisk.org/pub/security/AST-2013-003-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2013-003-1.8.15-cert.diff Certified
Asterisk
1.8.15
http://downloads.asterisk.org/pub/security/AST-2013-003-C.3.diff Asterisk
BE C.3
Links https://issues.asterisk.org/jira/browse/ASTERISK-21013
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2013-003.pdf and
http://downloads.digium.com/pub/security/AST-2013-003.html
Revision History
Date Editor Revisions Made
2013-02-20 Kinsey Moore Initial revision.
2013-02-27 Kinsey Moore Added Asterisk BE patch information.
2013-02-27 Kinsey Moore Corrected open source Asterisk versions.
Asterisk Project Security Advisory - AST-2013-003
Copyright (c) 2013 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUVpHRu4yVqjM2NGpAQJ4vA/9HhFpqm3p43ECALkmnHlVn/DaTiRvFyA2
s1uQEQJAarhsoLIjhkX5B4+F6GzgUDE2V37pR1GTEn37Eghlf1RZvRrhjyXF7WNq
gQ5QFQxrFzoyfLN2Ic1bOd6PDm48Ao4RRWH2ypkUFt3prikI+qgirKh2h33J6hAu
Bd39Nh7XkMt+8xJg/HBrxYOWO+x7Oo5S6T9DGvYNAf3xdABEPBtGKMh8kE7OjsTL
10bLnDmqi8JGTjcrdAoRpGdFJQh5sVRW4nD6CK40ewK5sJXkOs4fZKUzhZ7jY8FJ
KZEE98zwOqT7795tJbc7kj6OzUROxBptT4jiuWtv/tBJzTsCsl5jW/+QPqh3hZ01
jE05EokSTaSWUlzzkv8s/qGWZ19YrCSOVGj/z8x7vqZ5HFH4/eoApyhsPALYASZv
XcNjsZo8oLpdb5h+kL0qt9OnRLZI/M/hjQYZ/HfQ3WzPv1kf9JOuWWJ+k3s6t4vr
GmFZ3CmDnM9fVHk2FW5Ac8hSu7IUUv4G05N7PPbiLImVXkye2U1BSecVHBetRMYJ
xHs1UmcpBefELenoXRcu4mXKoSCySNQlIL3FKhTvdnmdIgWRmRhIynTaFQ+p0xJW
EyGf9hi9+VmkF/sYFfja3+2VcOkzhDFZ3ACnIU9tVBfOiwh3ckaVP+JIKEdy8FNR
Fh+/JQ9jjh4=
=t+vH
-----END PGP SIGNATURE-----