CVE-2011-2536
Asterisk <1.4.41.2, <1.6.2.18.2, <1.8.4.4, <C.3.7.3 - Unauthenticated User Enumeration via SIP
Title source: llmDescription
chan_sip.c in the SIP channel driver in Asterisk Open Source 1.4.x before 1.4.41.2, 1.6.2.x before 1.6.2.18.2, and 1.8.x before 1.8.4.4, and Asterisk Business Edition C.3.x before C.3.7.3, disregards the alwaysauthreject option and generates different responses for invalid SIP requests depending on whether the user account exists, which allows remote attackers to enumerate account names via a series of requests.
References (3)
Core 3
Core References
Patch x_refsource_confirm
http://downloads.asterisk.org/pub/security/AST-2011-011-1.8.diff
Vendor Advisory x_refsource_confirm
http://downloads.asterisk.org/pub/security/AST-2011-011.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id?1025734
Scores
EPSS
0.0194
EPSS Percentile
77.8%
Details
CWE
CWE-200
Status
published
Products (24)
digium/asterisk
1.8.0 (10 CPE variants)
digium/asterisk
1.8.1 (2 CPE variants)
digium/asterisk
1.8.1.1
digium/asterisk
1.8.1.2
digium/asterisk
1.8.2
digium/asterisk
1.8.2.1
digium/asterisk
1.8.2.2
digium/asterisk
1.8.2.3
digium/asterisk
1.8.2.4
digium/asterisk
1.8.3 (4 CPE variants)
... and 14 more
Published
Jul 06, 2011
Tracked Since
Feb 18, 2026