Foniva Contact Center Software
Asterisk Experts Support

Possible remote enumeration of SIP endpoints with differing NAT settings

Asterisk Project Security Advisory - AST-2011-013

Product Asterisk

Summary Possible remote enumeration of SIP endpoints with

differing NAT settings

Nature of Advisory Unauthorized data disclosure

Susceptibility Remote unauthenticated sessions

Severity Minor

Exploits Known Yes

Reported On 2011-07-18

Reported By Ben Williams

Posted On

Last Updated On December 7, 2011

Advisory Contact Terry Wilson <twilson@digium.com>

CVE Name

Description It is possible to enumerate SIP usernames when the general

and user/peer NAT settings differ in whether to respond to

the port a request is sent from or the port listed for

responses in the Via header. In 1.4 and 1.6.2, this would

mean if one setting was nat=yes or nat=route and the other

was either nat=no or nat=never. In 1.8 and 10, this would

mean when one was nat=force_rport or nat=yes and the other

was nat=no or nat=comedia.

Resolution Handling NAT for SIP over UDP requires the differing

behavior introduced by these options.

To lessen the frequency of unintended username disclosure,

the default NAT setting was changed to always respond to the

port from which we received the request-the most commonly

used option.

Warnings were added on startup to inform administrators of

the risks of having a SIP peer configured with a different

setting than that of the general setting. The documentation

now strongly suggests that peers are no longer configured

for NAT individually, but through the global setting in the

“general” context.

Affected Versions

Product Release Series

Asterisk Open Source All All versions

Corrected In

As this is more of an issue with SIP over UDP in general, there is no

fix supplied other than documentation on how to avoid the problem. The

default NAT setting has been changed to what we believe the most

commonly used setting for the respective version in Asterisk 1.4.43,

1.6.2.21, and 1.8.7.2.

Links

Asterisk Project Security Advisories are posted at

http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest

version will be posted at

http://downloads.digium.com/pub/security/AST-2011-013.pdf and

http://downloads.digium.com/pub/security/AST-2011-013.html

Revision History

Date Editor Revisions Made

Asterisk Project Security Advisory - AST-2011-013

Copyright (c) 2011 Digium, Inc. All Rights Reserved.

Permission is hereby granted to distribute and publish this advisory in its

original, unaltered form.

_____________________________________________________________________

– Bandwidth and Colocation Provided by http://www.api-digital.com

asterisk-announce mailing list

To UNSUBSCRIBE or update options visit:

http://lists.digium.com/mailman/listinfo/asterisk-announce

Comments

Comments are closed.


Our sponsors


Asterisk Experts Support