CVE-2009-3727

NameCVE-2009-3727
DescriptionAsterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, 1.6.0.x before 1.6.0.17, and 1.6.1.x before 1.6.1.9; Business Edition A.x.x, B.x.x before B.2.5.12, C.2.x.x before C.2.4.5, and C.3.x.x before C.3.2.2; AsteriskNOW 1.5; and s800i 1.3.x before 1.3.0.5 generate different error messages depending on whether a SIP username is valid, which allows remote attackers to enumerate valid usernames via multiple crafted REGISTER messages with inconsistent usernames in the URI in the To header and the Digest in the Authorization header.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-1952-1
NVD severitymedium (attack range: remote)
Debian/oldoldstablenot vulnerable.
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
asterisk (PTS)squeeze, squeeze (security)1:1.6.2.9-2+squeeze12fixed
wheezy (security), wheezy1:1.8.13.1~dfsg1-3+deb7u3fixed
jessie1:11.13.1~dfsg-2fixed
stretch, sid1:13.1.0~dfsg-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
asterisksource(unstable)1:1.6.2.0~rc6-1medium
asterisksourceetch(unfixed)end-of-life
asterisksourcelenny1:1.4.21.2~dfsg-3+lenny1mediumDSA-1952-1

Notes

[lenny] - asterisk <no-dsa> (Minor issue)
[etch] - asterisk <end-of-life> (Etch Packages no longer covered by security support)

Search for package or bug name: Reporting problems