CVE-2009-3727

Asterisk <1.2.35/1.4.26.3/1.6.0.17/1.6.1.9 - Unauthenticated Username Enumeration via SIP REGISTER

Title source: llm
STIX 2.1

Description

Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, 1.6.0.x before 1.6.0.17, and 1.6.1.x before 1.6.1.9; Business Edition A.x.x, B.x.x before B.2.5.12, C.2.x.x before C.2.4.5, and C.3.x.x before C.3.2.2; AsteriskNOW 1.5; and s800i 1.3.x before 1.3.0.5 generate different error messages depending on whether a SIP username is valid, which allows remote attackers to enumerate valid usernames via multiple crafted REGISTER messages with inconsistent usernames in the URI in the To header and the Digest in the Authorization header.

References (12)

Core 12
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37265
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37479
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37677
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2009/dsa-1952
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=523277
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=533137
Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/36924
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/59697
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1023133

Scores

EPSS 0.0420
EPSS Percentile 89.8%

Details

CWE
CWE-200
Status published
Products (25)
digium/asterisk 1.2.0 (5 CPE variants)
digium/asterisk 1.2.1
digium/asterisk 1.2.2 (2 CPE variants)
digium/asterisk 1.2.3 (2 CPE variants)
digium/asterisk 1.2.10 (2 CPE variants)
digium/asterisk 1.2.11 (2 CPE variants)
digium/asterisk 1.2.12 (2 CPE variants)
digium/asterisk 1.2.12.1 (2 CPE variants)
digium/asterisk 1.2.13 (2 CPE variants)
digium/asterisk 1.2.14
... and 15 more
Published Nov 10, 2009
Tracked Since Feb 18, 2026