CVE-2009-0041

Name of the Vulnerable Software and Affected Versions Asterisk Open Source versions 1.2.x through 1.2.30 Asterisk Open Source versions 1.4.x through 1.4.23-rc3 Asterisk Open Source versions 1.6.x through 1.6.0.3-rc1 Asterisk Business Edition A.x.x Asterisk Business Edition B.x.x through B.2.5.6 Asterisk Business Edition C.1.x.x through C.1.10.3 Asterisk Business Edition C.2.x.x through C.2.1.2.0 s800i versions 1.2.x through 1.2.x

Description The issue allows remote attackers to enumerate valid usernames by exploiting a difference in response to a failed login attempt depending on whether the user account exists.

Recommendations For Asterisk Open Source versions 1.2.x through 1.2.30, update to version 1.2.31 or later. For Asterisk Open Source versions 1.4.x through 1.4.23-rc3, update to version 1.4.23-rc4 or later. For Asterisk Open Source versions 1.6.x through 1.6.0.3-rc1, update to version 1.6.0.3-rc2 or later. For Asterisk Business Edition A.x.x, update to a version that is not affected by this issue. For Asterisk Business Edition B.x.x through B.2.5.6, update to version B.2.5.7 or later. For Asterisk Business Edition C.1.x.x through C.1.10.3, update to version C.1.10.4 or later. For Asterisk Business Edition C.2.x.x through C.2.1.2.0, update to version C.2.1.2.1 or later. For s800i versions 1.2.x through 1.2.x, update to version 1.3.0 or later.