Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

             Asterisk Project Security Advisory - AST-2013-003
                               2 April 2013


        AusCERT Security Bulletin Summary

Product:           Asterisk Open Source
                   Certified Asterisk
                   Asterisk Business Edition
                   Asterisk Digiumphones
Publisher:         Digium
Operating System:  UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-2264  

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

               Asterisk Project Security Advisory - AST-2013-003

          Product         Asterisk                                            
          Summary         Username disclosure in SIP channel driver           
     Nature of Advisory   Unauthorized data disclosure                        
       Susceptibility     Remote Unauthenticated Sessions                     
          Severity        Moderate                                            
       Exploits Known     No                                                  
        Reported On       January 30, 2013                                    
        Reported By       Walter Doekes, OSSO B.V.                            
         Posted On        February 21, 2013                                   
      Last Updated On     March 27, 2013                                      
      Advisory Contact    Kinsey Moore <kmoore@digium.com>                    
          CVE Name        CVE-2013-2264                                       

    Description  When authenticating via SIP with alwaysauthreject enabled,   
                 allowguest disabled, and autocreatepeer disabled, Asterisk   
                 discloses whether a user exists for INVITE, SUBSCRIBE, and   
                 REGISTER transactions in multiple ways.                      
                 This information was disclosed:                              
                 * when a "407 Proxy Authentication Required" response was    
                 sent instead of "401 Unauthorized" response.                 
                 * due to the presence or absence of additional tags at the   
                 end of "403 Forbidden" such as "(Bad auth)".                 
                 * when a "401 Unauthorized" response was sent instead of     
                 "403 Forbidden" response after a retransmission.             
                 * when retransmissions were sent when a matching peer did    
                 not exist, but were not when a matching peer did exist.      

    Resolution  This issue can only be mitigated by upgrading to versions of  
                Asterisk that contain the patch or applying the patch.        

                               Affected Versions
                Product                Release Series    
          Asterisk Open Source              1.8.x        All Versions         
          Asterisk Open Source              10.x         All Versions         
          Asterisk Open Source              11.x         All Versions         
           Certified Asterisk              1.8.15        All Versions         
       Asterisk Business Edition            C.3.x        All Versions         
         Asterisk Digiumphones        10.x-digiumphones  All Versions         

                                  Corrected In
                  Product                              Release                
           Asterisk Open Source     , 10.12.2, 11.2.2       
           Asterisk Digiumphones                10.12.2-digiumphones          
            Certified Asterisk                      1.8.15-cert2              
         Asterisk Business Edition                     C.3.8.1                

                                SVN URL                                  Revision  
http://downloads.asterisk.org/pub/security/AST-2013-003-1.8.diff         Asterisk  
http://downloads.asterisk.org/pub/security/AST-2013-003-10.diff          Asterisk  
http://downloads.asterisk.org/pub/security/AST-2013-003-11.diff          Asterisk  
http://downloads.asterisk.org/pub/security/AST-2013-003-1.8.15-cert.diff Certified 
http://downloads.asterisk.org/pub/security/AST-2013-003-C.3.diff         Asterisk  
                                                                         BE C.3    

       Links     https://issues.asterisk.org/jira/browse/ASTERISK-21013       

    Asterisk Project Security Advisories are posted at                        
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2013-003.pdf and             

                                Revision History
        Date          Editor                    Revisions Made                
    2013-02-20    Kinsey Moore    Initial revision.                           
    2013-02-27    Kinsey Moore    Added Asterisk BE patch information.        
    2013-02-27    Kinsey Moore    Corrected open source Asterisk versions.    

               Asterisk Project Security Advisory - AST-2013-003
              Copyright (c) 2013 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967