[security at asterisk.org: [asterisk-users] AST-2009-001: Information leak in IAX2 authentication]
Diana Cionoiu
diana at null.ro
Thu Jan 8 20:51:34 UTC 2009
What about Yate 2?
Diana
Tzafrir Cohen wrote:
> yey, we get to push yet another version of Asterisk.
>
> Though I feel a bit uncomfortable about the fix: we leak (albeit very
> little) information about previous authentication to the next
> authentication. Can this actually help a slow scan?
>
> I'd rather wait a bit with this one.
>
> ----- Forwarded message from Asterisk Security Team <security at asterisk.org> -----
>
> To: asterisk-users at lists.digium.com
> From: Asterisk Security Team <security at asterisk.org>
> Date: Thu, 08 Jan 2009 13:28:55 -0600
> Subject: [asterisk-users] AST-2009-001: Information leak in IAX2
> authentication
> Reply-To: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users at lists.digium.com>
>
> Asterisk Project Security Advisory - AST-2009-001
>
> +------------------------------------------------------------------------+
> | Product | Asterisk |
> |----------------------+-------------------------------------------------|
> | Summary | Information leak in IAX2 authentication |
> |----------------------+-------------------------------------------------|
> | Nature of Advisory | Unauthorized data disclosure |
> |----------------------+-------------------------------------------------|
> | Susceptibility | Remote Unauthenticated Sessions |
> |----------------------+-------------------------------------------------|
> | Severity | Minor |
> |----------------------+-------------------------------------------------|
> | Exploits Known | Yes |
> |----------------------+-------------------------------------------------|
> | Reported On | October 15, 2008 |
> |----------------------+-------------------------------------------------|
> | Reported By | http://www.unprotectedhex.com |
> |----------------------+-------------------------------------------------|
> | Posted On | January 7, 2009 |
> |----------------------+-------------------------------------------------|
> | Last Updated On | January 7, 2009 |
> |----------------------+-------------------------------------------------|
> | Advisory Contact | Tilghman Lesher < tlesher AT digium DOT com > |
> |----------------------+-------------------------------------------------|
> | CVE Name | CVE-2009-0041 |
> +------------------------------------------------------------------------+
>
> +------------------------------------------------------------------------+
> | Description | IAX2 provides a different response during authentication |
> | | when a user does not exist, as compared to when the |
> | | password is merely wrong. This allows an attacker to |
> | | scan a host to find specific users on which to |
> | | concentrate password cracking attempts. |
> | | |
> | | The workaround involves sending back responses that are |
> | | valid for that particular site. For example, if it were |
> | | known that a site only uses RSA authentication, then |
> | | sending back an MD5 authentication request would |
> | | similarly identify the user as not existing. The |
> | | opposite is also true. So the solution is always to send |
> | | back an authentication response that corresponds to a |
> | | known frequency with which real authentication responses |
> | | are returned, when the user does not exist. This makes |
> | | it very difficult for an attacker to guess whether a |
> | | user exists or not, based upon this particular |
> | | mechanism. |
> +------------------------------------------------------------------------+
>
> +------------------------------------------------------------------------+
> | Resolution | Upgrade to revision 167259 of the 1.2 branch or 167260 of |
> | | the 1.4 branch or one of the releases noted below. |
> +------------------------------------------------------------------------+
>
> +------------------------------------------------------------------------+
> | Affected Versions |
> |------------------------------------------------------------------------|
> | Product | Release | |
> | | Series | |
> |----------------------------+---------+---------------------------------|
> | Asterisk Open Source | 1.2.x | All version prior to 1.2.31 |
> |----------------------------+---------+---------------------------------|
> | Asterisk Open Source | 1.4.x | All versions prior to |
> | | | 1.4.23-rc4 |
> |----------------------------+---------+---------------------------------|
> | Asterisk Open Source | 1.6.x | All versions prior to |
> | | | 1.6.0.3-rc2 |
> |----------------------------+---------+---------------------------------|
> | Asterisk Addons | 1.2.x | Not affected |
> |----------------------------+---------+---------------------------------|
> | Asterisk Addons | 1.4.x | Not affected |
> |----------------------------+---------+---------------------------------|
> | Asterisk Addons | 1.6.x | Not affected |
> |----------------------------+---------+---------------------------------|
> | Asterisk Business Edition | A.x.x | All versions |
> |----------------------------+---------+---------------------------------|
> | Asterisk Business Edition | B.x.x | All versions prior to B.2.5.7 |
> |----------------------------+---------+---------------------------------|
> | Asterisk Business Edition | C.1.x.x | All versions prior to C.1.10.4 |
> |----------------------------+---------+---------------------------------|
> | Asterisk Business Edition | C.2.x.x | All versions prior to C.2.1.2.1 |
> |----------------------------+---------+---------------------------------|
> | AsteriskNOW | 1.5 | Not affected |
> |----------------------------+---------+---------------------------------|
> | s800i (Asterisk Appliance) | 1.2.x | All versions prior to 1.3.0 |
> +------------------------------------------------------------------------+
>
> +------------------------------------------------------------------------+
> | Corrected In |
> |------------------------------------------------------------------------|
> | Product | Release |
> |--------------------------------------------+---------------------------|
> | Asterisk Open Source | 1.2.31 |
> |--------------------------------------------+---------------------------|
> | Asterisk Open Source | 1.4.22.1 |
> |--------------------------------------------+---------------------------|
> | Asterisk Open Source | 1.6.0.3 |
> |--------------------------------------------+---------------------------|
> | Asterisk Business Edition | B.2.5.7 |
> |--------------------------------------------+---------------------------|
> | Asterisk Business Edition | C.1.10.4 |
> |--------------------------------------------+---------------------------|
> | Asterisk Business Edition | C.2.1.2.1 |
> |--------------------------------------------+---------------------------|
> | s800i (Asterisk Appliance) | 1.3.0 |
> +------------------------------------------------------------------------+
>
> +------------------------------------------------------------------------+
> | Patches |
> |------------------------------------------------------------------------|
> | URL |Branch|
> |-----------------------------------------------------------------+------|
> |http://downloads.digium.com/pub/security/AST-2009-001-1.2.diff |1.2 |
> |-----------------------------------------------------------------+------|
> |http://downloads.digium.com/pub/security/AST-2009-001-1.4.diff |1.4 |
> |-----------------------------------------------------------------+------|
> |http://downloads.digium.com/pub/security/AST-2009-001-1.6.0.diff |1.6.0 |
> +------------------------------------------------------------------------+
>
> +------------------------------------------------------------------------+
> | Links | http://code.google.com/p/iaxscan/ |
> +------------------------------------------------------------------------+
>
> +------------------------------------------------------------------------+
> | Asterisk Project Security Advisories are posted at |
> | http://www.asterisk.org/security |
> | |
> | This document may be superseded by later versions; if so, the latest |
> | version will be posted at |
> | http://downloads.digium.com/pub/security/AST-2009-001.pdf and |
> | http://downloads.digium.com/pub/security/AST-2009-001.html |
> +------------------------------------------------------------------------+
>
> +------------------------------------------------------------------------+
> | Revision History |
> |------------------------------------------------------------------------|
> | Date | Editor | Revisions Made |
> |-----------------+------------------------+-----------------------------|
> | 2009-01-07 | Tilghman Lesher | Initial release |
> +------------------------------------------------------------------------+
>
> Asterisk Project Security Advisory - AST-2009-001
> Copyright (c) 2009 Digium, Inc. All Rights Reserved.
> Permission is hereby granted to distribute and publish this advisory in its
> original, unaltered form.
>
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
> ----- End forwarded message -----
>
>
More information about the Pkg-voip-maintainers
mailing list