AST-2009-003: SIP responses expose valid usernames

Debian Bug report logs - #522528
AST-2009-003: SIP responses expose valid usernames

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir.cohen@xorcom.com>

To: submit@bugs.debian.org

Subject: AST-2009-003: SIP responses expose valid usernames

Date: Sat, 4 Apr 2009 18:24:59 +0300

Package: asterisk
version: 1:1.4.21.2~dfsg-3
Severity: grave
Tags: patch

The Asterisk Project has issued the following advisory:
http://downloads.digium.com/pub/asa/AST-2009-003.html

It affects the versions in oldstable (1.2.13), stable/testing/unstable 
(1.4.21) and experimental (1.6.1-rc3. rc4, fixing this should be
released shortly). 

CVE entry: CVE-2008-3903

I'd like to include here the text of the advisory, as I believe it is
worth restating:

  In 2006, the Asterisk maintainers made it more difficult to scan for
  valid SIP usernames by implementing an option called
  "alwaysauthreject", which should return a 401 error on all replies
  which are generated for users which do not exist. While this was
  sufficient at the time, due to ever increasing compliance with RFC
  3261, the SIP specification, that is no longer sufficient as a means
  towards preventing attackers from checking responses to verify whether
  a SIP account exists on a machine.

  What we have done is to carefully emulate exactly the same responses
  throughout possible dialogs, which should prevent attackers from
  gleaning this information. All invalid users, if this option is turned
  on, will receive the same response throughout the dialog, as if a
  username was valid, but the password was incorrect.

  It is important to note several things. First, this vulnerability is
  derived directly from the SIP specification, and it is a technical
  violation of RFC 3261 (and subsequent RFCs, as of this date), for us
  to return these responses. Second, this attack is made much more
  difficult if administrators avoided creating all-numeric usernames and
  especially all-numeric passwords. This combination is extremely
  vulnerable for servers connected to the public Internet, even with
  this patch in place. While it may make configuring SIP telephones
  easier in the short term, it has the potential to cause grief over the
  long term.

Patches are linked from the advisory and are now being tested.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen@xorcom.com
+972-50-7952406           mailto:tzafrir.cohen@xorcom.com
http://www.xorcom.com  iax:guest@local.xorcom.com/tzafrir

Message #12 received at 522528@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir.cohen@xorcom.com>

To: control@bugs.debian.org

Cc: 522528@bugs.debian.org, 528497@bugs.debian.org

Subject: setting package to asterisk-dbg asterisk-config asterisk-doc asterisk-dev asterisk asterisk-sounds-main asterisk-progdoc asterisk-h423 ...

Date: Fri, 15 May 2009 17:29:32 +0300

# Automatically generated email from bts, devscripts version 2.10.35lenny3
# via tagpending 
#
# asterisk (1:1.6.1.0~dfsg-1) UNRELEASED; urgency=low
#
#  * New upstream release (Closes: #522528).
#  * Patch astcanary_startup: Avoid a false death of the canary
#    (Closes: #528497).
#

package asterisk-dbg asterisk-config asterisk-doc asterisk-dev asterisk asterisk-sounds-main asterisk-progdoc asterisk-h423
tags 528497 + pending
tags 522528 + pending

Message #19 received at 522528-close@bugs.debian.org (full text, mbox, reply):

From: Mark Purcell <msp@debian.org>

To: 522528-close@bugs.debian.org

Subject: Bug#522528: fixed in asterisk 1:1.6.1.0~dfsg-1

Date: Tue, 19 May 2009 23:17:35 +0000

Source: asterisk
Source-Version: 1:1.6.1.0~dfsg-1

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:

asterisk-config_1.6.1.0~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-config_1.6.1.0~dfsg-1_all.deb
asterisk-dbg_1.6.1.0~dfsg-1_i386.deb
  to pool/main/a/asterisk/asterisk-dbg_1.6.1.0~dfsg-1_i386.deb
asterisk-dev_1.6.1.0~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-dev_1.6.1.0~dfsg-1_all.deb
asterisk-doc_1.6.1.0~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-doc_1.6.1.0~dfsg-1_all.deb
asterisk-h423_1.6.1.0~dfsg-1_i386.deb
  to pool/main/a/asterisk/asterisk-h423_1.6.1.0~dfsg-1_i386.deb
asterisk-progdoc_1.6.1.0~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-progdoc_1.6.1.0~dfsg-1_all.deb
asterisk-sounds-main_1.6.1.0~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-sounds-main_1.6.1.0~dfsg-1_all.deb
asterisk_1.6.1.0~dfsg-1.diff.gz
  to pool/main/a/asterisk/asterisk_1.6.1.0~dfsg-1.diff.gz
asterisk_1.6.1.0~dfsg-1.dsc
  to pool/main/a/asterisk/asterisk_1.6.1.0~dfsg-1.dsc
asterisk_1.6.1.0~dfsg-1_i386.deb
  to pool/main/a/asterisk/asterisk_1.6.1.0~dfsg-1_i386.deb
asterisk_1.6.1.0~dfsg.orig.tar.gz
  to pool/main/a/asterisk/asterisk_1.6.1.0~dfsg.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 522528@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Purcell <msp@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 20 May 2009 08:00:23 +1000
Source: asterisk
Binary: asterisk asterisk-h423 asterisk-doc asterisk-progdoc asterisk-dev asterisk-dbg asterisk-sounds-main asterisk-config
Architecture: source all i386
Version: 1:1.6.1.0~dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Mark Purcell <msp@debian.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dbg - Debugging symbols for Asterisk
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-h423 - H.323 protocol support for Asterisk
 asterisk-progdoc - Source code documentation for Asterisk
 asterisk-sounds-main - Core Sound files for Asterisk (English)
Closes: 522528 528497
Changes: 
 asterisk (1:1.6.1.0~dfsg-1) unstable; urgency=low
 .
   * New upstream release (Closes: #522528).
 .
   [ Tzafrir Cohen ]
   * Depend explicitly on dahdi.
   * Patch apptest_sleep dropped: merged upstream.
   * Patch libtonezone_libm dropped: merged upstream.
   * Patch h423-make-fix dropped: merged upstream.
   * Use upstream's asterisk.conf rather than our bogus one.
   * Also add the version-specific release summary.
   * Patch dahdi_ptmp_nt: (not really) chan_dahdi PtMP NT support
     (Kristijan Vrban).
   * Patch dahdi_pri_debug_spannums: add span number in PRI trace.
   * Patch astcanary_startup: Avoid a false death of the canary
     (Closes: #528497).
   * Patch hardware_dtmf_mute_fix: Fix muting of DAHDI channels with hardware
     DTMF detection.
Checksums-Sha1: 
 a6837967792126e7fb174395eb0ba738a480863d 2055 asterisk_1.6.1.0~dfsg-1.dsc
 b9ac25f0d72f1ce1c0a0f7971e4f259fb2b0f8bd 7640519 asterisk_1.6.1.0~dfsg.orig.tar.gz
 fe2fb8477ec0696774a16caf6df70368f86270ca 56638 asterisk_1.6.1.0~dfsg-1.diff.gz
 acb9c3e6930a05cdf9c60c21516011760fed77e9 1979636 asterisk-doc_1.6.1.0~dfsg-1_all.deb
 f3e1b8ac3afdf9d141dab871713a5a08c9e08bcd 148535056 asterisk-progdoc_1.6.1.0~dfsg-1_all.deb
 19cdf1497e4b7d845adbc6078f835de695f9d2f6 975846 asterisk-dev_1.6.1.0~dfsg-1_all.deb
 6fbe24114d373ed2d28ef013ec3481a3327dd32c 2509442 asterisk-sounds-main_1.6.1.0~dfsg-1_all.deb
 fa55b549a935d8d1f17dffa94f7013e3c351be6c 1045426 asterisk-config_1.6.1.0~dfsg-1_all.deb
 ad6ac47f7a3214f60a724a7b561c4acf0f369fa9 3813778 asterisk_1.6.1.0~dfsg-1_i386.deb
 d1126b2d0a00b290599545bcb246b11277488509 892358 asterisk-h423_1.6.1.0~dfsg-1_i386.deb
 c713f1a8ef6d1e9d5c72dd9711e2ab0a23d4e8a1 20219384 asterisk-dbg_1.6.1.0~dfsg-1_i386.deb
Checksums-Sha256: 
 44d2a0cc52bccc3a64cc99c9fe71168839bdda1065ae6a841bae98f1d6d3a633 2055 asterisk_1.6.1.0~dfsg-1.dsc
 da63bb2f2c97e750e00253aa45f326f9a8e4a13d315fa315f0cfaf9812132f99 7640519 asterisk_1.6.1.0~dfsg.orig.tar.gz
 db70144cb6784c6641c43461ed164643eda8011bdf7d8c18e71e04d77ffc4850 56638 asterisk_1.6.1.0~dfsg-1.diff.gz
 391bb7994020398a69ea4442f16ff08bc160258d5bc45e0eff1cc2448c139582 1979636 asterisk-doc_1.6.1.0~dfsg-1_all.deb
 90523650f9b814f87298b472c3783a1d231dd28055ae904ecf7fa15ddd267f13 148535056 asterisk-progdoc_1.6.1.0~dfsg-1_all.deb
 788345a2aee3f4ac96de72cc6d947ac4a7778b860837b0d79a28d1a15f8a8254 975846 asterisk-dev_1.6.1.0~dfsg-1_all.deb
 f3246199e599f2857f84d4ec74cbfd65d6272d173ff11377c31739dbc73222fc 2509442 asterisk-sounds-main_1.6.1.0~dfsg-1_all.deb
 82a70785cf7ff8c75dbde893403da5b19fa10e2d0564ad08fd22f3d4f045f462 1045426 asterisk-config_1.6.1.0~dfsg-1_all.deb
 c349c160a5ad07b9eab6172f222bb4183d051358afb6b0d36b9dd672a6c84cb7 3813778 asterisk_1.6.1.0~dfsg-1_i386.deb
 1274ed7841ac026e637c08517fddebfbc686883ce43d58214dae4f6fb96189bc 892358 asterisk-h423_1.6.1.0~dfsg-1_i386.deb
 a8a1a4d3f27de742e484184b3a0227d57c3e717b9c7815e9b0708e1bd6501be3 20219384 asterisk-dbg_1.6.1.0~dfsg-1_i386.deb
Files: 
 d8d1c2e1ac2b78f2cbae42070d6f192d 2055 comm optional asterisk_1.6.1.0~dfsg-1.dsc
 9f6573edcf537f30690b8f8d5cf22786 7640519 comm optional asterisk_1.6.1.0~dfsg.orig.tar.gz
 6e75964823d653af27cb0788769923a1 56638 comm optional asterisk_1.6.1.0~dfsg-1.diff.gz
 3a68d4c51e120fab9cddfbc84f870f66 1979636 doc extra asterisk-doc_1.6.1.0~dfsg-1_all.deb
 8eec056d357371021092bc4e28f7bde9 148535056 doc extra asterisk-progdoc_1.6.1.0~dfsg-1_all.deb
 15dbdeda43d1b7a45d824cd98333a400 975846 devel extra asterisk-dev_1.6.1.0~dfsg-1_all.deb
 f2b4f37a34af33428ab76b2f187f5160 2509442 comm optional asterisk-sounds-main_1.6.1.0~dfsg-1_all.deb
 1a4301224195f7e9cd3b9d8b6d9e0dbc 1045426 comm optional asterisk-config_1.6.1.0~dfsg-1_all.deb
 826fe89fd24d62e2101e888c133ef890 3813778 comm optional asterisk_1.6.1.0~dfsg-1_i386.deb
 a583525a751fcf7faa9c4396c0925f4c 892358 comm optional asterisk-h423_1.6.1.0~dfsg-1_i386.deb
 a35c9d18a580139984e94910c2eaa4fe 20219384 debug extra asterisk-dbg_1.6.1.0~dfsg-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoTMAEACgkQoCzanz0IthLTDgCdGGqb582DPbvdQJftJZ1otM93
a8oAoJKU5DcMbecJ1hqaQa98UW6mdhSJ
=P2v7
-----END PGP SIGNATURE-----

Message #24 received at 522528-close@bugs.debian.org (full text, mbox, reply):

From: Faidon Liambotis <paravoid@debian.org>

To: 522528-close@bugs.debian.org

Subject: Bug#522528: fixed in asterisk 1:1.4.21.2~dfsg-3+lenny1

Date: Wed, 16 Dec 2009 23:32:30 +0000

Source: asterisk
Source-Version: 1:1.4.21.2~dfsg-3+lenny1

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:

asterisk-config_1.4.21.2~dfsg-3+lenny1_all.deb
  to main/a/asterisk/asterisk-config_1.4.21.2~dfsg-3+lenny1_all.deb
asterisk-dbg_1.4.21.2~dfsg-3+lenny1_i386.deb
  to main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_i386.deb
asterisk-dev_1.4.21.2~dfsg-3+lenny1_all.deb
  to main/a/asterisk/asterisk-dev_1.4.21.2~dfsg-3+lenny1_all.deb
asterisk-doc_1.4.21.2~dfsg-3+lenny1_all.deb
  to main/a/asterisk/asterisk-doc_1.4.21.2~dfsg-3+lenny1_all.deb
asterisk-h423_1.4.21.2~dfsg-3+lenny1_i386.deb
  to main/a/asterisk/asterisk-h423_1.4.21.2~dfsg-3+lenny1_i386.deb
asterisk-sounds-main_1.4.21.2~dfsg-3+lenny1_all.deb
  to main/a/asterisk/asterisk-sounds-main_1.4.21.2~dfsg-3+lenny1_all.deb
asterisk_1.4.21.2~dfsg-3+lenny1.diff.gz
  to main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1.diff.gz
asterisk_1.4.21.2~dfsg-3+lenny1.dsc
  to main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1.dsc
asterisk_1.4.21.2~dfsg-3+lenny1_i386.deb
  to main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 522528@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Faidon Liambotis <paravoid@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 14 Dec 2009 01:11:44 +0200
Source: asterisk
Binary: asterisk asterisk-h423 asterisk-doc asterisk-dev asterisk-dbg asterisk-sounds-main asterisk-config
Architecture: source all i386
Version: 1:1.4.21.2~dfsg-3+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Faidon Liambotis <paravoid@debian.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dbg - Debugging symbols for Asterisk
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-h423 - H.323 protocol support for Asterisk
 asterisk-sounds-main - Core Sound files for Asterisk (English)
Closes: 522528 554486 554487 559103
Changes: 
 asterisk (1:1.4.21.2~dfsg-3+lenny1) stable-security; urgency=high
 .
   * Multiple security fixes:
     - "Information leak in IAX2 authentication", AST-2009-001, CVE-2009-0041.
     - "Remote Crash Vulnerability in SIP channel driver", AST-2009-002.
     - "SIP responses expose valid usernames", AST-2009-003, CVE-2008-3903.
       (Closes: #522528)
     - "SIP responses expose valid usernames", AST-2009-008, CVE-2009-3727.
       (Closes: #554487)
     - Stop shipping old static-http code in examples. Among other things, it
       includes a vulnerable version of the prototype Javascript library.
       AST-2009-009, CVE-2008-7220. (Closes: #554486)
     - "RTP Remote Crash Vulnerability", AST-2009-010, CVE-2009-4055.
       (Closes: #559103)
Checksums-Sha1: 
 b39571677b5dee2efda9fc794b3d2ab5cebeb9ab 1984 asterisk_1.4.21.2~dfsg-3+lenny1.dsc
 3b64d5aba93d38381d4e80b904f66741631aae89 5295205 asterisk_1.4.21.2~dfsg.orig.tar.gz
 880546ae3b24c47f6bb6de248599086626772b47 150880 asterisk_1.4.21.2~dfsg-3+lenny1.diff.gz
 db42a0cbcb3bd6a5b44f0acebc91b809e15176c3 32514900 asterisk-doc_1.4.21.2~dfsg-3+lenny1_all.deb
 9426e6a3e3dc12834c7e705fa8513b8d4fdae092 427650 asterisk-dev_1.4.21.2~dfsg-3+lenny1_all.deb
 bb1cfceef93bdef38fc64aac7ea13dcb1130d7e6 1897736 asterisk-sounds-main_1.4.21.2~dfsg-3+lenny1_all.deb
 14839ed0b3cb721459ddad32b87cfa4b3e11d558 478858 asterisk-config_1.4.21.2~dfsg-3+lenny1_all.deb
 a2121ba035dbbc96bb6b92ed3f3fd70f5ed235db 2407006 asterisk_1.4.21.2~dfsg-3+lenny1_i386.deb
 db4f0873783fdea719309109b080facb75b5c1a1 388450 asterisk-h423_1.4.21.2~dfsg-3+lenny1_i386.deb
 a23c992cd677082e793f4b96d150792fb7436d85 12937820 asterisk-dbg_1.4.21.2~dfsg-3+lenny1_i386.deb
Checksums-Sha256: 
 3c1c8a5e5054d30c2aad0546deac4907fb8c46cf82732f4598f0d34baa69aafc 1984 asterisk_1.4.21.2~dfsg-3+lenny1.dsc
 18a2c244568f11b75afd0850cae65b394be888c778869fce61651e64a181603d 5295205 asterisk_1.4.21.2~dfsg.orig.tar.gz
 5dd0f5c19b6d458a1ef432818247c98b2ad4e2ceb4b3f4535b2b91243d1e4a6e 150880 asterisk_1.4.21.2~dfsg-3+lenny1.diff.gz
 196f07874797f359adb03111311abe1893b1623d7808ab206da90d6847797a2e 32514900 asterisk-doc_1.4.21.2~dfsg-3+lenny1_all.deb
 c060a368134b247aa1d27374b683ee3f273da951bee28659cbabab2f3c7d004a 427650 asterisk-dev_1.4.21.2~dfsg-3+lenny1_all.deb
 3309cb55110e7b43a47a5cd7c7488731282ac128a2d40e937292e760232c6434 1897736 asterisk-sounds-main_1.4.21.2~dfsg-3+lenny1_all.deb
 34341baafa36917469e4d72429ea642418628bf2626cb9208baf17337186e788 478858 asterisk-config_1.4.21.2~dfsg-3+lenny1_all.deb
 187122e727887bdbb9cd62b3a1701a8de53b81e27cbb4a427d1437f9f154f167 2407006 asterisk_1.4.21.2~dfsg-3+lenny1_i386.deb
 80619106ec8570c3a584bf81e8a1f5cb64e1c4af7a50e31ad6308b381821512e 388450 asterisk-h423_1.4.21.2~dfsg-3+lenny1_i386.deb
 4ee223894f928d207c29e62e3f15bb14a7b57da491ccfd2bdb61820efa62693f 12937820 asterisk-dbg_1.4.21.2~dfsg-3+lenny1_i386.deb
Files: 
 69dcaf09361976f55a053512fb26d7b5 1984 comm optional asterisk_1.4.21.2~dfsg-3+lenny1.dsc
 f641d1140b964e71e38d27bf3b2a2d80 5295205 comm optional asterisk_1.4.21.2~dfsg.orig.tar.gz
 ba6e81cd6ab443ef04467d57a1d954b3 150880 comm optional asterisk_1.4.21.2~dfsg-3+lenny1.diff.gz
 8d959ce35cc61436ee1e09af475459d1 32514900 doc extra asterisk-doc_1.4.21.2~dfsg-3+lenny1_all.deb
 fb8a7dd925c8d209f3007e2a7d6602d8 427650 devel extra asterisk-dev_1.4.21.2~dfsg-3+lenny1_all.deb
 f0b7912d2ea0377bbb3c56cbc067d230 1897736 comm optional asterisk-sounds-main_1.4.21.2~dfsg-3+lenny1_all.deb
 b483c77c21df4ae9cea8a4277f96966a 478858 comm optional asterisk-config_1.4.21.2~dfsg-3+lenny1_all.deb
 2bbd456e2d36a734ac0789b6ff7e9d22 2407006 comm optional asterisk_1.4.21.2~dfsg-3+lenny1_i386.deb
 7c9e49cb8610a577d63f3fb77ecd92da 388450 comm optional asterisk-h423_1.4.21.2~dfsg-3+lenny1_i386.deb
 46acd420961efc6c932d94eec0452ad3 12937820 devel extra asterisk-dbg_1.4.21.2~dfsg-3+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAksmj6cACgkQVty5d8XpUzMwHgCeKbMGyk0QDov48qlK09G5Fdzb
w2gAn2POsBO9cc4Dv+PrArwit8Is90D1
=M94m
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.