CVE-2008-3903

Name of the Vulnerable Software and Affected Versions Asterisk Open Source versions 1.2.x through 1.2.31 Asterisk Open Source versions 1.4.x through 1.4.24 Asterisk Open Source versions 1.6.0.x through 1.6.0.7 Asterisk Business Edition A.x.x Asterisk Business Edition B.x.x through B.2.5.7 Asterisk Business Edition C.1.x.x through C.1.10.4 Asterisk Business Edition C.2.x.x through C.2.3.2 s800i versions 1.3.x through 1.3.0.1 Trixbox PBX version 2.6.1

Description The issue generates different responses depending on whether a SIP username is valid, allowing remote attackers to enumerate valid usernames when Digest authentication and authalwaysreject are enabled.

Recommendations For Asterisk Open Source versions 1.2.x through 1.2.31, update to version 1.2.32 or later. For Asterisk Open Source versions 1.4.x through 1.4.24, update to version 1.4.24.1 or later. For Asterisk Open Source versions 1.6.0.x through 1.6.0.7, update to version 1.6.0.8 or later. For Asterisk Business Edition A.x.x, B.x.x through B.2.5.7, C.1.x.x through C.1.10.4, and C.2.x.x through C.2.3.2, update to a version that is not affected, such as B.2.5.8, C.1.10.5, or C.2.3.3, respectively. For s800i versions 1.3.x through 1.3.0.1, update to version 1.3.0.2 or later. For Trixbox PBX version 2.6.1, consider disabling Digest authentication or authalwaysreject until a patch is available.