CVE-2011-4597
Asterisk 1.4.x < 1.4.43, 1.6.x < 1.6.2.21, 1.8.x < 1.8.7.2 - Username Enumeration via SIP UDP Response Port Variation
Title source: llmDescription
The SIP over UDP implementation in Asterisk Open Source 1.4.x before 1.4.43, 1.6.x before 1.6.2.21, and 1.8.x before 1.8.7.2 uses different port numbers for responses to invalid requests depending on whether a SIP username exists, which allows remote attackers to enumerate usernames via a series of requests.
References (8)
Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/77597
Various Sources x_refsource_confirm
http://downloads.asterisk.org/pub/security/AST-2011-013.html
Mailing List mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2011/12/09/4
Mailing List mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2011/12/09/3
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/47273
Third Party Advisory mailing-list
x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2011-12/0151.html
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2011/dsa-2367
Various Sources mailing-list
x_refsource_mlist
http://lists.digium.com/pipermail/asterisk-dev/2011-November/052191.html
Scores
EPSS
0.0328
EPSS Percentile
87.0%
Details
CWE
CWE-200
Status
published
Products (24)
digium/asterisk
1.8.0 (10 CPE variants)
digium/asterisk
1.8.1 (2 CPE variants)
digium/asterisk
1.8.1.1
digium/asterisk
1.8.1.2
digium/asterisk
1.8.2
digium/asterisk
1.8.2.1
digium/asterisk
1.8.2.2
digium/asterisk
1.8.2.3
digium/asterisk
1.8.2.4
digium/asterisk
1.8.3 (4 CPE variants)
... and 14 more
Published
Dec 15, 2011
Tracked Since
Feb 18, 2026