First published: Wed Jul 06 2011(Updated: )
The default configuration of the SIP channel driver in Asterisk Open Source 1.4.x through 1.4.41.2 and 1.6.2.x through 1.6.2.18.2 does not enable the alwaysauthreject option, which allows remote attackers to enumerate account names by making a series of invalid SIP requests and observing the differences in the responses for different usernames, a different vulnerability than CVE-2011-2536.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Asterisk | =1.6.2.0 | |
Asterisk | =1.6.2.0-rc2 | |
Asterisk | =1.6.2.0-rc3 | |
Asterisk | =1.6.2.0-rc4 | |
Asterisk | =1.6.2.0-rc5 | |
Asterisk | =1.6.2.0-rc6 | |
Asterisk | =1.6.2.0-rc7 | |
Asterisk | =1.6.2.0-rc8 | |
Asterisk | =1.6.2.1 | |
Asterisk | =1.6.2.1-rc1 | |
Asterisk | =1.6.2.2 | |
Asterisk | =1.6.2.3-rc2 | |
Asterisk | =1.6.2.4 | |
Asterisk | =1.6.2.5 | |
Asterisk | =1.6.2.6 | |
Asterisk | =1.6.2.6-rc1 | |
Asterisk | =1.6.2.6-rc2 | |
Asterisk | =1.6.2.15-rc1 | |
Asterisk | =1.6.2.16 | |
Asterisk | =1.6.2.16-rc1 | |
Asterisk | =1.6.2.16.1 | |
Asterisk | =1.6.2.16.2 | |
Asterisk | =1.6.2.17 | |
Asterisk | =1.6.2.17-rc1 | |
Asterisk | =1.6.2.17-rc2 | |
Asterisk | =1.6.2.17-rc3 | |
Asterisk | =1.6.2.17.1 | |
Asterisk | =1.6.2.17.2 | |
Asterisk | =1.6.2.17.3 | |
Asterisk | =1.6.2.18 | |
Asterisk | =1.6.2.18-rc1 | |
Asterisk | =1.6.2.18.1 | |
Asterisk | =1.6.2.18.2 | |
Asterisk | =1.4.0 | |
Asterisk | =1.4.0-beta1 | |
Asterisk | =1.4.0-beta2 | |
Asterisk | =1.4.0-beta3 | |
Asterisk | =1.4.0-beta4 | |
Asterisk | =1.4.1 | |
Asterisk | =1.4.2 | |
Asterisk | =1.4.3 | |
Asterisk | =1.4.4 | |
Asterisk | =1.4.5 | |
Asterisk | =1.4.6 | |
Asterisk | =1.4.7 | |
Asterisk | =1.4.7.1 | |
Asterisk | =1.4.8 | |
Asterisk | =1.4.9 | |
Asterisk | =1.4.10 | |
Asterisk | =1.4.10.1 | |
Asterisk | =1.4.11 | |
Asterisk | =1.4.12 | |
Asterisk | =1.4.12.1 | |
Asterisk | =1.4.13 | |
Asterisk | =1.4.14 | |
Asterisk | =1.4.15 | |
Asterisk | =1.4.16 | |
Asterisk | =1.4.16.1 | |
Asterisk | =1.4.16.2 | |
Asterisk | =1.4.17 | |
Asterisk | =1.4.18 | |
Asterisk | =1.4.19 | |
Asterisk | =1.4.19-rc1 | |
Asterisk | =1.4.19-rc2 | |
Asterisk | =1.4.19-rc3 | |
Asterisk | =1.4.19-rc4 | |
Asterisk | =1.4.19.1 | |
Asterisk | =1.4.19.2 | |
Asterisk | =1.4.20 | |
Asterisk | =1.4.20-rc1 | |
Asterisk | =1.4.20-rc2 | |
Asterisk | =1.4.20-rc3 | |
Asterisk | =1.4.20.1 | |
Asterisk | =1.4.21 | |
Asterisk | =1.4.21-rc1 | |
Asterisk | =1.4.21-rc2 | |
Asterisk | =1.4.21.1 | |
Asterisk | =1.4.21.2 | |
Asterisk | =1.4.22 | |
Asterisk | =1.4.22-rc1 | |
Asterisk | =1.4.22-rc2 | |
Asterisk | =1.4.22-rc3 | |
Asterisk | =1.4.22-rc4 | |
Asterisk | =1.4.22-rc5 | |
Asterisk | =1.4.22.1 | |
Asterisk | =1.4.22.2 | |
Asterisk | =1.4.23 | |
Asterisk | =1.4.23-rc1 | |
Asterisk | =1.4.23-rc2 | |
Asterisk | =1.4.23-rc3 | |
Asterisk | =1.4.23-rc4 | |
Asterisk | =1.4.23.1 | |
Asterisk | =1.4.23.2 | |
Asterisk | =1.4.24 | |
Asterisk | =1.4.24-rc1 | |
Asterisk | =1.4.24.1 | |
Asterisk | =1.4.25 | |
Asterisk | =1.4.25-rc1 | |
Asterisk | =1.4.25.1 | |
Asterisk | =1.4.26 | |
Asterisk | =1.4.26-rc1 | |
Asterisk | =1.4.26-rc2 | |
Asterisk | =1.4.26-rc3 | |
Asterisk | =1.4.26-rc4 | |
Asterisk | =1.4.26-rc5 | |
Asterisk | =1.4.26-rc6 | |
Asterisk | =1.4.26.1 | |
Asterisk | =1.4.26.2 | |
Asterisk | =1.4.26.3 | |
Asterisk | =1.4.27 | |
Asterisk | =1.4.27-rc1 | |
Asterisk | =1.4.27-rc2 | |
Asterisk | =1.4.27-rc3 | |
Asterisk | =1.4.27-rc4 | |
Asterisk | =1.4.27-rc5 | |
Asterisk | =1.4.27.1 | |
Asterisk | =1.4.28 | |
Asterisk | =1.4.28-rc1 | |
Asterisk | =1.4.29 | |
Asterisk | =1.4.29-rc1 | |
Asterisk | =1.4.29.1 | |
Asterisk | =1.4.30 | |
Asterisk | =1.4.30-rc2 | |
Asterisk | =1.4.30-rc3 | |
Asterisk | =1.4.31 | |
Asterisk | =1.4.31-rc1 | |
Asterisk | =1.4.31-rc2 | |
Asterisk | =1.4.32 | |
Asterisk | =1.4.32-rc1 | |
Asterisk | =1.4.33 | |
Asterisk | =1.4.33-rc1 | |
Asterisk | =1.4.33-rc2 | |
Asterisk | =1.4.33.1 | |
Asterisk | =1.4.34 | |
Asterisk | =1.4.34-rc1 | |
Asterisk | =1.4.34-rc2 | |
Asterisk | =1.4.35 | |
Asterisk | =1.4.35-rc1 | |
Asterisk | =1.4.36 | |
Asterisk | =1.4.36-rc1 | |
Asterisk | =1.4.37 | |
Asterisk | =1.4.37-rc1 | |
Asterisk | =1.4.38 | |
Asterisk | =1.4.38-rc1 | |
Asterisk | =1.4.39 | |
Asterisk | =1.4.39-rc1 | |
Asterisk | =1.4.39.1 | |
Asterisk | =1.4.39.2 | |
Asterisk | =1.4.40 | |
Asterisk | =1.4.40-rc1 | |
Asterisk | =1.4.40-rc2 | |
Asterisk | =1.4.40-rc3 | |
Asterisk | =1.4.40.1 | |
Asterisk | =1.4.40.2 | |
Asterisk | =1.4.41 | |
Asterisk | =1.4.41-rc1 | |
Asterisk | =1.4.41.1 | |
Asterisk | =1.4.41.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2011-2666 has been assigned a medium severity rating due to its ability to allow account enumeration through invalid SIP requests.
To mitigate CVE-2011-2666, enable the alwaysauthreject option in the SIP channel driver configuration.
CVE-2011-2666 affects Asterisk versions 1.4.x up to 1.4.41.2 and 1.6.2.x up to 1.6.2.18.2.
CVE-2011-2666 can be exploited by remote attackers to enumerate account names through crafted SIP requests.
Yes, patches are available and can be implemented by configuring the SIP channel driver appropriately.