IAX2 Information Leak in Asterisk Open Source and Business Edition
CVE-2009-0041

Currently unrated

Key Information:

Vendor: Asterisk
Status: Asterisk Business Edition; Open Source; S800i Appliance
Vendor: CVE Published:; 14 January 2009

What is CVE-2009-0041?

The IAX2 protocol implementation in Asterisk Open Source and Business Edition has a flaw wherein it reacts differently to failed login attempts based on the existence of user accounts. This inconsistency may be exploited by remote attackers to enumerate valid usernames, posing a significant information leakage risk to users of affected versions.

References

http://security.gentoo.org/glsa/glsa-200905-01.xml

vendor-advisoryx_refsource_GENTOO

http://www.securityfocus.com/archive/1/499884/100/0/threaded

mailing-listx_refsource_BUGTRAQ

http://secunia.com/advisories/33453

third-party-advisoryx_refsource_SECUNIA

Timeline

Vulnerability published
Jan 14, 2009
Vulnerability Reserved
Jan 6, 2009