Asterisk Security advisory – Information leak in IAX2 authentication

asterisklogo.jpgIf you are an Asterisk user, you should be aware that Digium has released AST-2009-001 Information leak in IAX2 authentication. The description is:

IAX2 provides a different response during authentication when a user does not exist, as compared to when the password is merely wrong. This allows an attacker to scan a host to find specific users on which to concentrate password cracking attempts.

The workaround involves sending back responses that are valid for that particular site. For example, if it were known that a site only uses RSA authentication, then sending back an MD5 authentication request would similarly identify the user as not existing. The opposite is also true. So the solution is always to send back an authentication response that corresponds to a known frequency with which real authentication responses are returned, when the user does not exist. This makes it very difficult for an attacker to guess whether a user exists or not, based upon this particular mechanism.

Digium classifies it as a minor security issue and notes in the advisory that patches are available.

Technorati Tags:
, , , ,