In association with heise online

« previous | next »
6 April 2009, 14:02

Asterisk update makes guessing user names more difficult

New versions of the open source Asterisk PBX software prevent attackers from gleaning valid user names that could be used in an attack. Vulnerable versions of Asterisk, when queried, would respond with a different message depending on whether the user name was valid or invalid, thereby exposing valid user names. For an attacker to confirm a user name, they would only need to perform an invite or register query and await the response from Asterisk. An option is now included in the software that will provide the same response for invalid user names, as it does for valid user names with an incorrect password.

The vulnerability has been eliminated in Asterisk versions 1.2.32, 1.4.24.1, 1.6.0.8, Asterisk Business Edition B.2.5.8 , C.1.10.5, C.2.3.3 and s800i (Asterisk Appliance) 1.3.0.2.

See also:

(crve)

Add your comment

« previous | next »
Print Version | Send by email | Permalink: http://h-online.com/-741043

Also on The H:

  • Share this article
  • Twitter
  • Facebook
  • digg this
  • submit to slashdot
  • post to delicious
  • StumbleUpon
  • submit to reddit
The H Open Headlines

Price Insight Top 10 powered by Skinflint

  1. Samsung SSD 830 Series 128GB
  2. Samsung SSD 830 Series 256GB
  3. Samsung SSD 830 Series Desktop Upgrade Kit 256GB
  4. Intel Core i5-3570K
  5. Samsung Galaxy S3 i9300 16GB blau
  6. Crucial m4 SSD 128GB
  7. Gigabyte GeForce GTX 670 OC
  8. Palit GeForce GTX 670
  9. Diablo 3 (deutsch)
  10. Samsung Galaxy Nexus i9250 16GB silber

The H

The H open source

The H Security

The H Internet Toolkit