CVE-2009-3727
Asterisk <1.2.35/1.4.26.3/1.6.0.17/1.6.1.9 - Unauthenticated Username Enumeration via SIP REGISTER
Title source: llmDescription
Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, 1.6.0.x before 1.6.0.17, and 1.6.1.x before 1.6.1.9; Business Edition A.x.x, B.x.x before B.2.5.12, C.2.x.x before C.2.4.5, and C.3.x.x before C.3.2.2; AsteriskNOW 1.5; and s800i 1.3.x before 1.3.0.5 generate different error messages depending on whether a SIP username is valid, which allows remote attackers to enumerate valid usernames via multiple crafted REGISTER messages with inconsistent usernames in the URI in the To header and the Digest in the Authorization header.
References (12)
Core 12
Core References
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/37265
Vendor Advisory vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00838.html
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/37479
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/37677
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2009/dsa-1952
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=523277
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=533137
Patch vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/36924
Vendor Advisory vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00789.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/59697
Vendor Advisory x_refsource_confirm
http://downloads.asterisk.org/pub/security/AST-2009-008.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id?1023133
Scores
EPSS
0.0420
EPSS Percentile
89.8%
Details
CWE
CWE-200
Status
published
Products (25)
digium/asterisk
1.2.0 (5 CPE variants)
digium/asterisk
1.2.1
digium/asterisk
1.2.2 (2 CPE variants)
digium/asterisk
1.2.3 (2 CPE variants)
digium/asterisk
1.2.10 (2 CPE variants)
digium/asterisk
1.2.11 (2 CPE variants)
digium/asterisk
1.2.12 (2 CPE variants)
digium/asterisk
1.2.12.1 (2 CPE variants)
digium/asterisk
1.2.13 (2 CPE variants)
digium/asterisk
1.2.14
... and 15 more
Published
Nov 10, 2009
Tracked Since
Feb 18, 2026