In association with heise online

06 April 2009, 13:02

Asterisk update makes guessing user names more difficult

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

New versions of the open source Asterisk PBX software prevent attackers from gleaning valid user names that could be used in an attack. Vulnerable versions of Asterisk, when queried, would respond with a different message depending on whether the user name was valid or invalid, thereby exposing valid user names. For an attacker to confirm a user name, they would only need to perform an invite or register query and await the response from Asterisk. An option is now included in the software that will provide the same response for invalid user names, as it does for valid user names with an incorrect password.

The vulnerability has been eliminated in Asterisk versions 1.2.32,,, Asterisk Business Edition B.2.5.8 , C.1.10.5, C.2.3.3 and s800i (Asterisk Appliance)

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit