Default configuration

2011-07-0619:55:00

PRIOn knowledge base

www.prio-n.com

6.7 Medium

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.004 Low

EPSS

Percentile

71.5%

JSON

The default configuration of the SIP channel driver in Asterisk Open Source 1.4.x through 1.4.41.2 and 1.6.2.x through 1.6.2.18.2 does not enable the alwaysauthreject option, which allows remote attackers to enumerate account names by making a series of invalid SIP requests and observing the differences in the responses for different usernames, a different vulnerability than CVE-2011-2536.

CPENameOperatorVersion
asteriskeq1.6.2.16.2
asteriskeq1.6.2.0 rc3
asteriskeq1.6.2.0 rc2
asteriskeq1.6.2.1
asteriskeq1.6.2.0 rc4
asteriskeq1.6.2.4
asteriskeq1.6.2.6
asteriskeq1.6.2.0 rc5
asteriskeq1.6.2.0 rc7
asteriskeq1.6.2.16 rc1

Name	Operator	Version
asterisk	eq	1.6.2.16.2
asterisk	eq	1.6.2.0 rc3
asterisk	eq	1.6.2.0 rc2
asterisk	eq	1.6.2.1
asterisk	eq	1.6.2.0 rc4
asterisk	eq	1.6.2.4
asterisk	eq	1.6.2.6
asterisk	eq	1.6.2.0 rc5
asterisk	eq	1.6.2.0 rc7
asterisk	eq	1.6.2.16 rc1