DescriptionThe default configuration of the SIP channel driver in Asterisk Open Source 1.4.x through and 1.6.2.x through does not enable the alwaysauthreject option, which allows remote attackers to enumerate account names by making a series of invalid SIP requests and observing the differences in the responses for different usernames, a different vulnerability than CVE-2011-2536.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, web search, more)
NVD severitymedium (attack range: remote)
Debian/oldoldstablepackage asterisk is vulnerable.
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot known to be vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
asterisk (PTS)squeeze, squeeze (security)1:
wheezy (security), wheezy1:

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[squeeze] - asterisk <no-dsa> (minor issue; can be addressed through configuration)

Search for package or bug name: Reporting problems