[VOIPSEC] AST-2009-001: Information leak in IAX2 authentication
Security Officer
security at asterisk.org
Fri Jan 9 13:31:15 CST 2009
On Friday 09 January 2009 13:00:54 you wrote:
> On Thu, 2009-01-08 at 13:28 -0600, Asterisk Security Team wrote:
> >
> > +------------------------------------------------------------------------
> >+
> >
> > | Description | IAX2 provides a different response during
> > | authentication |
> > |
> > | | when a user does not exist, as compared to when the
> > | | | password is merely wrong. This allows an attacker
> > | | to | scan a host to find specific users on which
> > | | to | concentrate password cracking attempts.
> > | | |
>
> Hrm... I thought this had been fixed back when I originally reported it
> in 2006 shortly after I developed the enumIAX tool[1] for Endler &
> Collier's Hacking VoIP Exposed book and disclosed the vulnerability at
> ToorCon 8[2]. The sole purpose of enumIAX was to demonstrate this
> particular enumeration attack, differentiating between existing users,
> existing users with no password, and non-existing users. Was this a
> regression or was the bug never originally fixed?
>
> [1] http://sourceforge.net/projects/enumiax/
> [2]
> http://www.dustintrammell.com/presentations/VoIP-Attacks-ToorCon-8/img46.ht
>ml
It's certainly possible that we missed the disclosure, especially if you
disclosed it publically, instead of contacting us directly. We encourage
security researchers to contact us in advance of any public disclosure, in
order to mitigate damages to Asterisk users. The only reason we caught this
one is because the researcher published his attack on the full disclosure
list, a list which we now monitor for any such public disclosures.
More information about the Voipsec
mailing list