CVE-2011-4597 Information

Feb 14, 2021 cve

Description

The SIP over UDP implementation in Asterisk Open Source 1.4.x before 1.4.43 1.6.x before 1.6.2.21 and 1.8.x before 1.8.7.2 uses different port numbers for responses to invalid requests depending on whether a SIP username exists which allows remote attackers to enumerate usernames via a series of requests.

Reference

http://archives.neohapsis.com/archives/bugtraq/2011-12/0151.html http://downloads.asterisk.org/pub/security/AST-2011-013.html http://lists.digium.com/pipermail/asterisk-dev/2011-November/052191.html http://openwall.com/lists/oss-security/2011/12/09/3 http://openwall.com/lists/oss-security/2011/12/09/4 http://osvdb.org/77597 http://secunia.com/advisories/47273 http://www.debian.org/security/2011/dsa-2367

Share on: