Launchpad.net

CVE 2009-3727

Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, 1.6.0.x before 1.6.0.17, and 1.6.1.x before 1.6.1.9; Business Edition A.x.x, B.x.x before B.2.5.12, C.2.x.x before C.2.4.5, and C.3.x.x before C.3.2.2; AsteriskNOW 1.5; and s800i 1.3.x before 1.3.0.5 generate different error messages depending on whether a SIP username is valid, which allows remote attackers to enumerate valid usernames via multiple crafted REGISTER messages with inconsistent usernames in the URI in the To header and the Digest in the Authorization header.

Related bugs and status

CVE-2009-3727 (Candidate) is related to these bugs:

Bug #491632: ACL not respected on SIP INVITE

Summary				In	Importance	Status
	491632	ACL not respected on SIP INVITE		asterisk (Ubuntu)	Undecided	Fix Released
	491632	ACL not respected on SIP INVITE		asterisk (Ubuntu Karmic)	Undecided	Fix Released

Bug #491637: SIP responses expose valid usernames

		In	Importance	Status
491637	SIP responses expose valid usernames	asterisk (Ubuntu)	Undecided	Fix Released
491637	SIP responses expose valid usernames	asterisk (Ubuntu Dapper)	Undecided	Won't Fix
491637	SIP responses expose valid usernames	asterisk (Ubuntu Hardy)	Undecided	Won't Fix
491637	SIP responses expose valid usernames	asterisk (Ubuntu Intrepid)	Undecided	Invalid
491637	SIP responses expose valid usernames	asterisk (Ubuntu Jaunty)	Undecided	Won't Fix
491637	SIP responses expose valid usernames	asterisk (Ubuntu Karmic)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2009-3727

Related bugs and status

Related bugs

References