CVE-2009-0041

Published: 14/01/2009 Updated: 11/10/2018

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

IAX2 in Asterisk Open Source 1.2.x prior to 1.2.31, 1.4.x prior to 1.4.23-rc4, and 1.6.x prior to 1.6.0.3-rc2; Business Edition A.x.x, B.x.x before B.2.5.7, C.1.x.x before C.1.10.4, and C.2.x.x before C.2.1.2.1; and s800i 1.2.x prior to 1.3.0 responds differently to a failed login attempt depending on whether the user account exists, which allows remote malicious users to enumerate valid usernames.

Vulnerable Product	Search on Vulmon	Subscribe to Product
asterisk open source 1.2.1
asterisk open source 1.2.11
asterisk open source 1.2.0
asterisk open source 1.2.21.1
asterisk open source 1.2.2
asterisk open source 1.2.22
asterisk open source 1.2.16
asterisk open source 1.2.30.2
asterisk open source 1.2.30
asterisk open source 1.2.23
asterisk open source 1.2.26.2
asterisk open source 1.4.18.1
asterisk open source 1.4.17
asterisk open source 1.4.15
asterisk open source 1.4.14
asterisk open source 1.4.0
asterisk open source 1.4.8
asterisk open source 1.4.7
asterisk open source 1.4.2
asterisk open source 1.4beta
asterisk open source 1.4.21
asterisk open source 1.4.21.1
asterisk open source 1.4.23
asterisk open source 1.6.0
asterisk asterisk business edition b.2.5.0
asterisk asterisk business edition b.2.3.2
asterisk asterisk business edition b.1.3.2
asterisk asterisk business edition
asterisk open source 1.2.10
asterisk open source 1.2.12.1
asterisk open source 1.2.14
asterisk open source 1.2.13
asterisk open source 1.2.20
asterisk open source 1.2.21
asterisk open source 1.2.18
asterisk open source 1.2.15
asterisk open source 1.2.26.1
asterisk open source 1.2.27
asterisk open source 1.2.26
asterisk open source 1.4.19
asterisk open source 1.4.13
asterisk open source 1.4.12
asterisk open source 1.4.1
asterisk open source 1.4.19.1
asterisk open source 1.4.5
asterisk open source 1.4.19.2
asterisk open source 1.4.20
asterisk open source 1.4.21.2
asterisk open source 1.4.22
asterisk open source
asterisk open source 1.6.0.1
asterisk asterisk business edition a
asterisk asterisk business edition b.2.3.3
asterisk asterisk business edition b.2.3.4
asterisk asterisk business edition c.1.0
asterisk open source 1.2.0beta2
asterisk open source 1.2.0beta1
asterisk open source 1.2.17
asterisk open source 1.2.28
asterisk open source 1.2.30.3
asterisk open source 1.2.25
asterisk open source 1.2.3
asterisk open source 1.4.16
asterisk open source 1.4.16.1
asterisk open source 1.4.16.2
asterisk open source 1.4.10
asterisk open source 1.4.9
asterisk open source 1.4.3
asterisk open source 1.4.4
asterisk open source 1.4.22.1
asterisk open source 1.4.22.2
asterisk asterisk business edition b.2.5.3
asterisk asterisk business edition b.2.3.6
asterisk asterisk business edition b.2.2.1
asterisk asterisk business edition b.2.3.1
asterisk open source 1.2.12
asterisk open source 1.2.19
asterisk open source 1.2.29
asterisk open source 1.2.24
asterisk open source 1.4.10.1
asterisk open source 1.4.12.1
asterisk open source 1.4.18
asterisk open source 1.4.11
asterisk open source 1.4.7.1
asterisk open source 1.4_revision_95946
asterisk open source 1.4.6
asterisk open source 1.6.0.2
asterisk open source 1.6.0.3
asterisk asterisk business edition b.2.3.5
asterisk asterisk business edition b.2.5.1
asterisk asterisk business edition b.1.3.3
asterisk asterisk business edition b.2.2.0
asterisk s800i appliance 1.2

Debian Bug report logs - #513413 AST-2009-001: Information leak in IAX2 authentication Package: asterisk; Maintainer for asterisk is Debian VoIP Team <pkg-voip-maintainers@listsaliothdebianorg>; Source for asterisk is src:asterisk (PTS, buildd, popcon) Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Wed, 28 ...

Debian Bug report logs - #559103 CVE-2009-4055: RTP Remote Crash Vulnerability Package: asterisk; Maintainer for asterisk is Debian VoIP Team <pkg-voip-maintainers@listsaliothdebianorg>; Source for asterisk is src:asterisk (PTS, buildd, popcon) Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Tue, 1 Dec 200 ...

Debian Bug report logs - #522528 AST-2009-003: SIP responses expose valid usernames Package: asterisk; Maintainer for asterisk is Debian VoIP Team <pkg-voip-maintainers@listsaliothdebianorg>; Source for asterisk is src:asterisk (PTS, buildd, popcon) Reported by: Tzafrir Cohen <tzafrircohen@xorcomcom> Date: Sat, ...

CWE-200 http://www.securityfocus.com/bid/33174 http://securityreason.com/securityalert/4910 http://downloads.digium.com/pub/security/AST-2009-001.html http://secunia.com/advisories/33453 http://www.securitytracker.com/id?1021549 http://security.gentoo.org/glsa/glsa-200905-01.xml http://secunia.com/advisories/34982 http://secunia.com/advisories/37677 http://www.debian.org/security/2009/dsa-1952 http://www.vupen.com/english/advisories/2009/0063 http://www.securityfocus.com/archive/1/499884/100/0/threaded https://nvd.nist.gov https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513413

Get Started

CVE-2009-0041

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect