CVE-2013-2264

Name of the Vulnerable Software and Affected Versions Asterisk Open Source versions 1.8.x through 1.8.20.1 Asterisk Open Source versions 10.x through 10.12.1 Asterisk Open Source versions 11.x through 11.2.1 Certified Asterisk versions 1.8.15 through 1.8.15-cert1 Asterisk Business Edition (BE) versions C.3.x through C.3.8.0 Asterisk Digiumphones versions 10.x-digiumphones through 10.12.2-digiumphones

Description The SIP channel driver in Asterisk exhibits different behavior for invalid INVITE, SUBSCRIBE, and REGISTER transactions depending on whether the user account exists. This allows remote attackers to enumerate account names by reading HTTP status codes, reading additional text in a 403 response, or observing whether certain retransmissions occur.

Recommendations For Asterisk Open Source versions 1.8.x through 1.8.20.1, update to version 1.8.20.2 or later. For Asterisk Open Source versions 10.x through 10.12.1, update to version 10.12.2 or later. For Asterisk Open Source versions 11.x through 11.2.1, update to version 11.2.2 or later. For Certified Asterisk versions 1.8.15 through 1.8.15-cert1, update to version 1.8.15-cert2 or later. For Asterisk Business Edition (BE) versions C.3.x through C.3.8.0, update to version C.3.8.1 or later. For Asterisk Digiumphones versions 10.x-digiumphones through 10.12.2-digiumphones, update to a version that includes the fix for this issue.