CVE-2009-3727

Name of the Vulnerable Software and Affected Versions Asterisk Open Source versions 1.2.x through 1.2.34 Asterisk Open Source versions 1.4.x through 1.4.26.2 Asterisk Open Source versions 1.6.0.x through 1.6.0.16 Asterisk Open Source versions 1.6.1.x through 1.6.1.8 Business Edition A.x.x Business Edition B.x.x through B.2.5.11 Business Edition C.2.x.x through C.2.4.4 Business Edition C.3.x.x through C.3.2.1 AsteriskNOW version 1.5 s800i versions 1.3.x through 1.3.0.4

Description The issue allows remote attackers to enumerate valid usernames via multiple crafted REGISTER messages with inconsistent usernames in the URI in the "To" header and the Digest in the "Authorization" header. This is due to different error messages being generated depending on whether a SIP username is valid.

Recommendations For Asterisk Open Source versions 1.2.x through 1.2.34, update to version 1.2.35 or later. For Asterisk Open Source versions 1.4.x through 1.4.26.2, update to version 1.4.26.3 or later. For Asterisk Open Source versions 1.6.0.x through 1.6.0.16, update to version 1.6.0.17 or later. For Asterisk Open Source versions 1.6.1.x through 1.6.1.8, update to version 1.6.1.9 or later. For Business Edition A.x.x, no specific fix is provided. For Business Edition B.x.x through B.2.5.11, update to version B.2.5.12 or later. For Business Edition C.2.x.x through C.2.4.4, update to version C.2.4.5 or later. For Business Edition C.3.x.x through C.3.2.1, update to version C.3.2.2 or later. For AsteriskNOW version 1.5, no specific fix is provided. For s800i versions 1.3.x through 1.3.0.4, update to version 1.3.0.5 or later.