Published: 06/07/2011 Updated: 29/08/2017

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

The default configuration of the SIP channel driver in Asterisk Open Source 1.4.x up to and including 1.4.41.2 and 1.6.2.x up to and including 1.6.2.18.2 does not enable the alwaysauthreject option, which allows remote malicious users to enumerate account names by making a series of invalid SIP requests and observing the differences in the responses for different usernames, a different vulnerability than CVE-2011-2536.

Vulnerable Product	Search on Vulmon	Subscribe to Product
digium asterisk 1.6.2.16.2
digium asterisk 1.6.2.6
digium asterisk 1.6.2.0
digium asterisk 1.6.2.1
digium asterisk 1.6.2.17
digium asterisk 1.6.2.18
digium asterisk 1.6.2.2
digium asterisk 1.6.2.3
digium asterisk 1.6.2.17.3
digium asterisk 1.6.2.16
digium asterisk 1.6.2.17.2
digium asterisk 1.6.2.15
digium asterisk 1.6.2.5
digium asterisk 1.6.2.16.1
digium asterisk 1.6.2.4
digium asterisk 1.6.2.17.1
digium asterisk 1.6.2.18.1
digium asterisk 1.6.2.18.2
digium asterisk 1.4.29
digium asterisk 1.4.19
digium asterisk 1.4.30
digium asterisk 1.4.2
digium asterisk 1.4.20.1
digium asterisk 1.4.21
digium asterisk 1.4.10.1
digium asterisk 1.4.10
digium asterisk 1.4.17
digium asterisk 1.4.16.2
digium asterisk 1.4.18
digium asterisk 1.4.25
digium asterisk 1.4.26
digium asterisk 1.4.26.3
digium asterisk 1.4.22
digium asterisk 1.4.23
digium asterisk 1.4.28
digium asterisk 1.4.20
digium asterisk 1.4.31
digium asterisk 1.4.12.1
digium asterisk 1.4.11
digium asterisk 1.4.23.1
digium asterisk 1.4.26.1
digium asterisk 1.4.0
digium asterisk 1.4.33.1
digium asterisk 1.4.33
digium asterisk 1.4.27
digium asterisk 1.4.3
digium asterisk 1.4.38
digium asterisk 1.4.6
digium asterisk 1.4.19.2
digium asterisk 1.4.1
digium asterisk 1.4.16.1
digium asterisk 1.4.16
digium asterisk 1.4.25.1
digium asterisk 1.4.26.2
digium asterisk 1.4.23.2
digium asterisk 1.4.24
digium asterisk 1.4.34
digium asterisk 1.4.35
digium asterisk 1.4.32
digium asterisk 1.4.5
digium asterisk 1.4.7.1
digium asterisk 1.4.36
digium asterisk 1.4.39
digium asterisk 1.4.39.2
digium asterisk 1.4.40
digium asterisk 1.4.41.2
digium asterisk 1.4.29.1
digium asterisk 1.4.19.1
digium asterisk 1.4.21.1
digium asterisk 1.4.21.2
digium asterisk 1.4.15
digium asterisk 1.4.13
digium asterisk 1.4.14
digium asterisk 1.4.22.2
digium asterisk 1.4.22.1
digium asterisk 1.4.24.1
digium asterisk 1.4.8
digium asterisk 1.4.37
digium asterisk 1.4.41
digium asterisk 1.4.41.1
digium asterisk 1.4.9
digium asterisk 1.4.40.2
digium asterisk 1.4.27.1
digium asterisk 1.4.12
digium asterisk 1.4.7
digium asterisk 1.4.39.1
digium asterisk 1.4.4
digium asterisk 1.4.40.1

Debian Bug report logs - #697230 asterisk: Two security issues: AST-2012-014 / AST-2012-015 Package: asterisk; Maintainer for asterisk is Debian VoIP Team <pkg-voip-maintainers@listsaliothdebianorg>; Source for asterisk is src:asterisk (PTS, buildd, popcon) Reported by: Salvatore Bonaccorso <carnil@debianorg> Dat ...

Several vulnerabilities were discovered in Asterisk, a PBX and telephony toolkit CVE-2012-2947 The IAX2 channel driver allows remote attackers to cause a denial of service (daemon crash) by placing a call on hold (when a certain mohinterpret setting is enabled) CVE-2012-2948 The Skinny channel driver allows remote authenticated users to cau ...

CWE-16 http://downloads.asterisk.org/pub/security/AST-2011-011.html https://exchange.xforce.ibmcloud.com/vulnerabilities/68472 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697230 https://nvd.nist.gov https://www.debian.org/security/./dsa-2493

Get Started

CVE-2011-2666

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect