Asterisk update makes guessing user names more difficult
New versions of the open source Asterisk PBX software prevent attackers from gleaning valid user names that could be used in an attack. Vulnerable versions of Asterisk, when queried, would respond with a different message depending on whether the user name was valid or invalid, thereby exposing valid user names. For an attacker to confirm a user name, they would only need to perform an invite or register query and await the response from Asterisk. An option is now included in the software that will provide the same response for invalid user names, as it does for valid user names with an incorrect password.
The vulnerability has been eliminated in Asterisk versions 1.2.32, 18.104.22.168, 22.214.171.124, Asterisk Business Edition B.2.5.8 , C.1.10.5, C.2.3.3 and s800i (Asterisk Appliance) 126.96.36.199.
- SIP responses expose valid user names, advisory from Digium.