CVE-2011-2666
First published: Wed Jul 06 2011(Updated: )
The default configuration of the SIP channel driver in Asterisk Open Source 1.4.x through 1.4.41.2 and 1.6.2.x through 1.6.2.18.2 does not enable the alwaysauthreject option, which allows remote attackers to enumerate account names by making a series of invalid SIP requests and observing the differences in the responses for different usernames, a different vulnerability than CVE-2011-2536.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Asterisk | =1.6.2.0 | |
| Asterisk | =1.6.2.0-rc2 | |
| Asterisk | =1.6.2.0-rc3 | |
| Asterisk | =1.6.2.0-rc4 | |
| Asterisk | =1.6.2.0-rc5 | |
| Asterisk | =1.6.2.0-rc6 | |
| Asterisk | =1.6.2.0-rc7 | |
| Asterisk | =1.6.2.0-rc8 | |
| Asterisk | =1.6.2.1 | |
| Asterisk | =1.6.2.1-rc1 | |
| Asterisk | =1.6.2.2 | |
| Asterisk | =1.6.2.3-rc2 | |
| Asterisk | =1.6.2.4 | |
| Asterisk | =1.6.2.5 | |
| Asterisk | =1.6.2.6 | |
| Asterisk | =1.6.2.6-rc1 | |
| Asterisk | =1.6.2.6-rc2 | |
| Asterisk | =1.6.2.15-rc1 | |
| Asterisk | =1.6.2.16 | |
| Asterisk | =1.6.2.16-rc1 | |
| Asterisk | =1.6.2.16.1 | |
| Asterisk | =1.6.2.16.2 | |
| Asterisk | =1.6.2.17 | |
| Asterisk | =1.6.2.17-rc1 | |
| Asterisk | =1.6.2.17-rc2 | |
| Asterisk | =1.6.2.17-rc3 | |
| Asterisk | =1.6.2.17.1 | |
| Asterisk | =1.6.2.17.2 | |
| Asterisk | =1.6.2.17.3 | |
| Asterisk | =1.6.2.18 | |
| Asterisk | =1.6.2.18-rc1 | |
| Asterisk | =1.6.2.18.1 | |
| Asterisk | =1.6.2.18.2 | |
| Asterisk | =1.4.0 | |
| Asterisk | =1.4.0-beta1 | |
| Asterisk | =1.4.0-beta2 | |
| Asterisk | =1.4.0-beta3 | |
| Asterisk | =1.4.0-beta4 | |
| Asterisk | =1.4.1 | |
| Asterisk | =1.4.2 | |
| Asterisk | =1.4.3 | |
| Asterisk | =1.4.4 | |
| Asterisk | =1.4.5 | |
| Asterisk | =1.4.6 | |
| Asterisk | =1.4.7 | |
| Asterisk | =1.4.7.1 | |
| Asterisk | =1.4.8 | |
| Asterisk | =1.4.9 | |
| Asterisk | =1.4.10 | |
| Asterisk | =1.4.10.1 | |
| Asterisk | =1.4.11 | |
| Asterisk | =1.4.12 | |
| Asterisk | =1.4.12.1 | |
| Asterisk | =1.4.13 | |
| Asterisk | =1.4.14 | |
| Asterisk | =1.4.15 | |
| Asterisk | =1.4.16 | |
| Asterisk | =1.4.16.1 | |
| Asterisk | =1.4.16.2 | |
| Asterisk | =1.4.17 | |
| Asterisk | =1.4.18 | |
| Asterisk | =1.4.19 | |
| Asterisk | =1.4.19-rc1 | |
| Asterisk | =1.4.19-rc2 | |
| Asterisk | =1.4.19-rc3 | |
| Asterisk | =1.4.19-rc4 | |
| Asterisk | =1.4.19.1 | |
| Asterisk | =1.4.19.2 | |
| Asterisk | =1.4.20 | |
| Asterisk | =1.4.20-rc1 | |
| Asterisk | =1.4.20-rc2 | |
| Asterisk | =1.4.20-rc3 | |
| Asterisk | =1.4.20.1 | |
| Asterisk | =1.4.21 | |
| Asterisk | =1.4.21-rc1 | |
| Asterisk | =1.4.21-rc2 | |
| Asterisk | =1.4.21.1 | |
| Asterisk | =1.4.21.2 | |
| Asterisk | =1.4.22 | |
| Asterisk | =1.4.22-rc1 | |
| Asterisk | =1.4.22-rc2 | |
| Asterisk | =1.4.22-rc3 | |
| Asterisk | =1.4.22-rc4 | |
| Asterisk | =1.4.22-rc5 | |
| Asterisk | =1.4.22.1 | |
| Asterisk | =1.4.22.2 | |
| Asterisk | =1.4.23 | |
| Asterisk | =1.4.23-rc1 | |
| Asterisk | =1.4.23-rc2 | |
| Asterisk | =1.4.23-rc3 | |
| Asterisk | =1.4.23-rc4 | |
| Asterisk | =1.4.23.1 | |
| Asterisk | =1.4.23.2 | |
| Asterisk | =1.4.24 | |
| Asterisk | =1.4.24-rc1 | |
| Asterisk | =1.4.24.1 | |
| Asterisk | =1.4.25 | |
| Asterisk | =1.4.25-rc1 | |
| Asterisk | =1.4.25.1 | |
| Asterisk | =1.4.26 | |
| Asterisk | =1.4.26-rc1 | |
| Asterisk | =1.4.26-rc2 | |
| Asterisk | =1.4.26-rc3 | |
| Asterisk | =1.4.26-rc4 | |
| Asterisk | =1.4.26-rc5 | |
| Asterisk | =1.4.26-rc6 | |
| Asterisk | =1.4.26.1 | |
| Asterisk | =1.4.26.2 | |
| Asterisk | =1.4.26.3 | |
| Asterisk | =1.4.27 | |
| Asterisk | =1.4.27-rc1 | |
| Asterisk | =1.4.27-rc2 | |
| Asterisk | =1.4.27-rc3 | |
| Asterisk | =1.4.27-rc4 | |
| Asterisk | =1.4.27-rc5 | |
| Asterisk | =1.4.27.1 | |
| Asterisk | =1.4.28 | |
| Asterisk | =1.4.28-rc1 | |
| Asterisk | =1.4.29 | |
| Asterisk | =1.4.29-rc1 | |
| Asterisk | =1.4.29.1 | |
| Asterisk | =1.4.30 | |
| Asterisk | =1.4.30-rc2 | |
| Asterisk | =1.4.30-rc3 | |
| Asterisk | =1.4.31 | |
| Asterisk | =1.4.31-rc1 | |
| Asterisk | =1.4.31-rc2 | |
| Asterisk | =1.4.32 | |
| Asterisk | =1.4.32-rc1 | |
| Asterisk | =1.4.33 | |
| Asterisk | =1.4.33-rc1 | |
| Asterisk | =1.4.33-rc2 | |
| Asterisk | =1.4.33.1 | |
| Asterisk | =1.4.34 | |
| Asterisk | =1.4.34-rc1 | |
| Asterisk | =1.4.34-rc2 | |
| Asterisk | =1.4.35 | |
| Asterisk | =1.4.35-rc1 | |
| Asterisk | =1.4.36 | |
| Asterisk | =1.4.36-rc1 | |
| Asterisk | =1.4.37 | |
| Asterisk | =1.4.37-rc1 | |
| Asterisk | =1.4.38 | |
| Asterisk | =1.4.38-rc1 | |
| Asterisk | =1.4.39 | |
| Asterisk | =1.4.39-rc1 | |
| Asterisk | =1.4.39.1 | |
| Asterisk | =1.4.39.2 | |
| Asterisk | =1.4.40 | |
| Asterisk | =1.4.40-rc1 | |
| Asterisk | =1.4.40-rc2 | |
| Asterisk | =1.4.40-rc3 | |
| Asterisk | =1.4.40.1 | |
| Asterisk | =1.4.40.2 | |
| Asterisk | =1.4.41 | |
| Asterisk | =1.4.41-rc1 | |
| Asterisk | =1.4.41.1 | |
| Asterisk | =1.4.41.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2011-2666?
CVE-2011-2666 has been assigned a medium severity rating due to its ability to allow account enumeration through invalid SIP requests.
How do I fix CVE-2011-2666?
To mitigate CVE-2011-2666, enable the alwaysauthreject option in the SIP channel driver configuration.
Which versions of Asterisk are affected by CVE-2011-2666?
CVE-2011-2666 affects Asterisk versions 1.4.x up to 1.4.41.2 and 1.6.2.x up to 1.6.2.18.2.
What kind of attack can exploit CVE-2011-2666?
CVE-2011-2666 can be exploited by remote attackers to enumerate account names through crafted SIP requests.
Is there a patch available for CVE-2011-2666?
Yes, patches are available and can be implemented by configuring the SIP channel driver appropriately.
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/author
- agent/severity
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- agent/softwarecombine
- agent/tags
- vendor/digium
- canonical/asterisk
- version/asterisk/1.6.2.0
- version/asterisk/1.6.2.0-rc2
- version/asterisk/1.6.2.0-rc3
- version/asterisk/1.6.2.0-rc4
- version/asterisk/1.6.2.0-rc5
- version/asterisk/1.6.2.0-rc6
- version/asterisk/1.6.2.0-rc7
- version/asterisk/1.6.2.0-rc8
- version/asterisk/1.6.2.1
- version/asterisk/1.6.2.1-rc1
- version/asterisk/1.6.2.2
- version/asterisk/1.6.2.3-rc2
- version/asterisk/1.6.2.4
- version/asterisk/1.6.2.5
- version/asterisk/1.6.2.6
- version/asterisk/1.6.2.6-rc1
- version/asterisk/1.6.2.6-rc2
- version/asterisk/1.6.2.15-rc1
- version/asterisk/1.6.2.16
- version/asterisk/1.6.2.16-rc1
- version/asterisk/1.6.2.16.1
- version/asterisk/1.6.2.16.2
- version/asterisk/1.6.2.17
- version/asterisk/1.6.2.17-rc1
- version/asterisk/1.6.2.17-rc2
- version/asterisk/1.6.2.17-rc3
- version/asterisk/1.6.2.17.1
- version/asterisk/1.6.2.17.2
- version/asterisk/1.6.2.17.3
- version/asterisk/1.6.2.18
- version/asterisk/1.6.2.18-rc1
- version/asterisk/1.6.2.18.1
- version/asterisk/1.6.2.18.2
- version/asterisk/1.4.0
- version/asterisk/1.4.0-beta1
- version/asterisk/1.4.0-beta2
- version/asterisk/1.4.0-beta3
- version/asterisk/1.4.0-beta4
- version/asterisk/1.4.1
- version/asterisk/1.4.2
- version/asterisk/1.4.3
- version/asterisk/1.4.4
- version/asterisk/1.4.5
- version/asterisk/1.4.6
- version/asterisk/1.4.7
- version/asterisk/1.4.7.1
- version/asterisk/1.4.8
- version/asterisk/1.4.9
- version/asterisk/1.4.10
- version/asterisk/1.4.10.1
- version/asterisk/1.4.11
- version/asterisk/1.4.12
- version/asterisk/1.4.12.1
- version/asterisk/1.4.13
- version/asterisk/1.4.14
- version/asterisk/1.4.15
- version/asterisk/1.4.16
- version/asterisk/1.4.16.1
- version/asterisk/1.4.16.2
- version/asterisk/1.4.17
- version/asterisk/1.4.18
- version/asterisk/1.4.19
- version/asterisk/1.4.19-rc1
- version/asterisk/1.4.19-rc2
- version/asterisk/1.4.19-rc3
- version/asterisk/1.4.19-rc4
- version/asterisk/1.4.19.1
- version/asterisk/1.4.19.2
- version/asterisk/1.4.20
- version/asterisk/1.4.20-rc1
- version/asterisk/1.4.20-rc2
- version/asterisk/1.4.20-rc3
- version/asterisk/1.4.20.1
- version/asterisk/1.4.21
- version/asterisk/1.4.21-rc1
- version/asterisk/1.4.21-rc2
- version/asterisk/1.4.21.1
- version/asterisk/1.4.21.2
- version/asterisk/1.4.22
- version/asterisk/1.4.22-rc1
- version/asterisk/1.4.22-rc2
- version/asterisk/1.4.22-rc3
- version/asterisk/1.4.22-rc4
- version/asterisk/1.4.22-rc5
- version/asterisk/1.4.22.1
- version/asterisk/1.4.22.2
- version/asterisk/1.4.23
- version/asterisk/1.4.23-rc1
- version/asterisk/1.4.23-rc2
- version/asterisk/1.4.23-rc3
- version/asterisk/1.4.23-rc4
- version/asterisk/1.4.23.1
- version/asterisk/1.4.23.2
- version/asterisk/1.4.24
- version/asterisk/1.4.24-rc1
- version/asterisk/1.4.24.1
- version/asterisk/1.4.25
- version/asterisk/1.4.25-rc1
- version/asterisk/1.4.25.1
- version/asterisk/1.4.26
- version/asterisk/1.4.26-rc1
- version/asterisk/1.4.26-rc2
- version/asterisk/1.4.26-rc3
- version/asterisk/1.4.26-rc4
- version/asterisk/1.4.26-rc5
- version/asterisk/1.4.26-rc6
- version/asterisk/1.4.26.1
- version/asterisk/1.4.26.2
- version/asterisk/1.4.26.3
- version/asterisk/1.4.27
- version/asterisk/1.4.27-rc1
- version/asterisk/1.4.27-rc2
- version/asterisk/1.4.27-rc3
- version/asterisk/1.4.27-rc4
- version/asterisk/1.4.27-rc5
- version/asterisk/1.4.27.1
- version/asterisk/1.4.28
- version/asterisk/1.4.28-rc1
- version/asterisk/1.4.29
- version/asterisk/1.4.29-rc1
- version/asterisk/1.4.29.1
- version/asterisk/1.4.30
- version/asterisk/1.4.30-rc2
- version/asterisk/1.4.30-rc3
- version/asterisk/1.4.31
- version/asterisk/1.4.31-rc1
- version/asterisk/1.4.31-rc2
- version/asterisk/1.4.32
- version/asterisk/1.4.32-rc1
- version/asterisk/1.4.33
- version/asterisk/1.4.33-rc1
- version/asterisk/1.4.33-rc2
- version/asterisk/1.4.33.1
- version/asterisk/1.4.34
- version/asterisk/1.4.34-rc1
- version/asterisk/1.4.34-rc2
- version/asterisk/1.4.35
- version/asterisk/1.4.35-rc1
- version/asterisk/1.4.36
- version/asterisk/1.4.36-rc1
- version/asterisk/1.4.37
- version/asterisk/1.4.37-rc1
- version/asterisk/1.4.38
- version/asterisk/1.4.38-rc1
- version/asterisk/1.4.39
- version/asterisk/1.4.39-rc1
- version/asterisk/1.4.39.1
- version/asterisk/1.4.39.2
- version/asterisk/1.4.40
- version/asterisk/1.4.40-rc1
- version/asterisk/1.4.40-rc2
- version/asterisk/1.4.40-rc3
- version/asterisk/1.4.40.1
- version/asterisk/1.4.40.2
- version/asterisk/1.4.41
- version/asterisk/1.4.41-rc1
- version/asterisk/1.4.41.1
- version/asterisk/1.4.41.2