Asterisk IAX2认证响应信息泄露漏洞

BUGTRAQ ID: 33174
CVE(CAN) ID: CVE-2009-0041

Asterisk是开放源码的软件PBX，支持各种VoIP协议和设备。

Asterisk IAX2在认证期间对用户不存在的情况和错误口令的情况提供了不同的响应，这允许攻击者通过扫描主机确定特定的用户。

Asterisk Asterisk 1.6.x
Asterisk Asterisk 1.4.x
Asterisk Asterisk 1.2.x
Asterisk Business Edition C.2.x.x
Asterisk Business Edition C.1.x.x
Asterisk Business Edition B.x.x
Asterisk s800i 1.2.x
厂商补丁：

Asterisk

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

<a href=“http://downloads.digium.com/pub/security/AST-2009-001-1.2.diff” target=“_blank”>http://downloads.digium.com/pub/security/AST-2009-001-1.2.diff</a>
<a href=“http://downloads.digium.com/pub/security/AST-2009-001-1.4.diff” target=“_blank”>http://downloads.digium.com/pub/security/AST-2009-001-1.4.diff</a>
<a href=“http://downloads.digium.com/pub/security/AST-2009-001-1.6.0.diff” target=“_blank”>http://downloads.digium.com/pub/security/AST-2009-001-1.6.0.diff</a>