Information Exposure - CVE-2009-3727
Published: May 1, 2018
Vulnerability identifier: #VU12323
CSH Severity: Medium
CVSS v4.0:
CVE-ID: CVE-2009-3727
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor:
Affected software:
Detailed vulnerability description
Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, 1.6.0.x before 1.6.0.17, and 1.6.1.x before 1.6.1.9; Business Edition A.x.x, B.x.x before B.2.5.12, C.2.x.x before C.2.4.5, and C.3.x.x before C.3.2.2; AsteriskNOW 1.5; and s800i 1.3.x before 1.3.0.5 generate different error messages depending on whether a SIP username is valid, which allows remote attackers to enumerate valid usernames via multiple crafted REGISTER messages with inconsistent usernames in the URI in the To header and the Digest in the Authorization header.
How to mitigate CVE-2009-3727
Install update from vendor's website.
Sources
- http://www.securityfocus.com/bid/36924
- https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00838.html
- https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00789.html
- https://bugzilla.redhat.com/show_bug.cgi?id=533137
- https://bugzilla.redhat.com/show_bug.cgi?id=523277
- http://www.securitytracker.com/id?1023133
- http://www.debian.org/security/2009/dsa-1952
- http://osvdb.org/59697
- http://downloads.asterisk.org/pub/security/AST-2009-008.html