SIP responses expose valid usernames

Bug #491637 reported by Dave Walker on 2009-12-02
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
asterisk (Ubuntu)
Undecided
Dave Walker
Nominated for Lucid by Dave Walker
Dapper
Undecided
Unassigned
Hardy
Undecided
Unassigned
Intrepid
Undecided
Unassigned
Jaunty
Undecided
Unassigned
Karmic
Undecided
Dave Walker

Bug Description

Binary package hint: asterisk

It is possible to determine if a peer with a specific name is configured in Asterisk by sending a specially crafted REGISTER message twice. The username that is to be checked is put in the user portion of the URI in the To header. A bogus non-matching value is put into the username portion of the Digest in the Authorization header. If the peer does exist the second REGISTER will receive a response of “403 Authentication user name does not match account name”. If the peer does not exist the response will be “404 Not Found” if alwaysauthreject is disabled and “401 Unauthorized” if alwaysauthreject is enabled.

http://downloads.asterisk.org/pub/security/AST-2009-008.html

Dave Walker (davewalker) on 2009-12-02
Changed in asterisk (Ubuntu):
assignee: nobody → Dave Walker (davewalker)
visibility: private → public
Changed in asterisk (Ubuntu Dapper):
status: New → Confirmed
Changed in asterisk (Ubuntu Hardy):
status: New → Confirmed
Changed in asterisk (Ubuntu Intrepid):
status: New → Confirmed
Changed in asterisk (Ubuntu Jaunty):
status: New → Confirmed
Changed in asterisk (Ubuntu Karmic):
status: New → Confirmed
Changed in asterisk (Ubuntu):
status: New → Confirmed
Dave Walker (davewalker) on 2009-12-03
Changed in asterisk (Ubuntu Karmic):
assignee: nobody → Dave Walker (davewalker)
status: Confirmed → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package asterisk - 1:1.6.2.0~rc2-0ubuntu1.1

---------------
asterisk (1:1.6.2.0~rc2-0ubuntu1.1) karmic-security; urgency=low

  * SECURITY UPDATE: ACL not respected on SIP INVITE (LP: #491632).
    - debian/patches/AST-2009-007: Additional check in channels/chan_sip.c to
      check ACL for handling SIP INVITEs. This blocks calls on networks
      intended to be prohibited, by configuration. Based on upstream patch.
    - AST-2009-007
    - CVE-2009-3723
  * SECURITY UPDATE: SIP responses expose valid usernames (LP: #491637).
    - debian/patches/AST-2009-008: Sanitise certain return of REGISTER message
      to stop a specially crafted series of requests returning valid usernames.
      Based on upstream patch.
    - AST-2009-008
    - CVE-2009-3727
  * SECURITY UPDATE: RTP Remote Crash Vulnerability (LP: #493555).
    - debian/patches/AST-2009-010: Stops Asterisk from crashing when an RTP
      comfort noise payload containing 24 bytes or greater is recieved.
    - AST-2009-010
    - CVE-2009-4055
 -- Dave Walker (Daviey) <email address hidden> Mon, 07 Dec 2009 12:23:36 +0000

Changed in asterisk (Ubuntu Karmic):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package asterisk - 1:1.6.2.0~rc2-0ubuntu2

---------------
asterisk (1:1.6.2.0~rc2-0ubuntu2) lucid; urgency=low

  [ Dave Walker (Daviey) ]
  * SECURITY UPDATE: ACL not respected on SIP INVITE (LP: #491632).
    - debian/patches/AST-2009-007: Additional check in channels/chan_sip.c to
      check ACL for handling SIP INVITEs. This blocks calls on networks
      intended to be prohibited, by configuration. Based on upstream patch.
    - AST-2009-007
    - CVE-2009-3723
  * SECURITY UPDATE: SIP responses expose valid usernames (LP: #491637).
    - debian/patches/AST-2009-008: Sanitise certain return of REGISTER message
      to stop a specially crafted series of requests returning valid usernames.
      Based on upstream patch.
    - AST-2009-008
    - CVE-2009-3727
  * SECURITY UPDATE: RTP Remote Crash Vulnerability (LP: #493555).
    - debian/patches/AST-2009-010: Stops Asterisk from crashing when an RTP
      comfort noise payload containing 24 bytes or greater is recieved.
    - AST-2009-010
    - CVE-2009-4055

  [ Roberto D'Auria ]
  * debian/patches/iax2-heavy-traffic-fix: Stops asterisk crashing on
    heavy traffic on iax2 channel, editing channels/chan_iax2.c.
    Based on upstream patch. (LP: #501116)
 -- Roberto D'Auria <email address hidden> Wed, 30 Dec 2009 14:49:24 +0100

Changed in asterisk (Ubuntu):
status: Confirmed → Fix Released
Alex Valavanis (valavanisalex) wrote :

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the
report. The bug has been fixed in newer releases of Ubuntu.

Changed in asterisk (Ubuntu Intrepid):
status: Confirmed → Invalid
Feras Al-Taher (ftaher) on 2010-11-11
Changed in asterisk (Ubuntu Dapper):
status: Confirmed → Fix Committed
status: Fix Committed → Confirmed
Alex Valavanis (valavanisalex) wrote :

Jaunty reached end-of-life on 23 October 2010. The bug is marked as fixed in later versions of Ubuntu

Changed in asterisk (Ubuntu Jaunty):
status: Confirmed → Won't Fix
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in asterisk (Ubuntu Dapper):
status: Confirmed → Won't Fix
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.

Changed in asterisk (Ubuntu Hardy):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers