CVE-2009-3727

Sažetak

Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, 1.6.0.x before 1.6.0.17, and 1.6.1.x before 1.6.1.9; Business Edition A.x.x, B.x.x before B.2.5.12, C.2.x.x before C.2.4.5, and C.3.x.x before C.3.2.2; AsteriskNOW 1.5; and s800i 1.3.x before 1.3.0.5 generate different error messages depending on whether a SIP username is valid, which allows remote attackers to enumerate valid usernames via multiple crafted REGISTER messages with inconsistent usernames in the URI in the To header and the Digest in the Authorization header.

Reference

http://downloads.asterisk.org/pub/security/AST-2009-008.html
http://osvdb.org/59697
http://secunia.com/advisories/37265
http://secunia.com/advisories/37479
http://secunia.com/advisories/37677
http://www.debian.org/security/2009/dsa-1952
http://www.securityfocus.com/bid/36924
http://www.securitytracker.com/id?1023133
https://bugzilla.redhat.com/show_bug.cgi?id=523277
https://bugzilla.redhat.com/show_bug.cgi?id=533137
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00789.html
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00838.html

CVSS

Base:	5.0
Impact:	2.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	NONE	NONE

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:N/A:N

Zadnje važnije ažuriranje

23-12-2009 - 06:58

Objavljeno

10-11-2009 - 18:30