SIP Channel Driver Vulnerability in Asterisk Open Source and Certified Asterisk
CVE-2013-2264

Currently unrated

Key Information:

Vendor: Asterisk
Status: Open Source
Vendor: CVE Published:; 1 April 2013

What is CVE-2013-2264?

The SIP channel driver in Asterisk and its variants demonstrates inconsistent responses to invalid INVITE, SUBSCRIBE, and REGISTER transactions based on user account existence. This inconsistency enables remote attackers to identify valid account names by analyzing HTTP status codes, specific text in 403 (Forbidden) responses, and the presence or absence of retransmitted requests. The vulnerability may compromise user account confidentiality, making it crucial for administrators to implement appropriate security measures to mitigate the risk.

References

http://downloads.asterisk.org/pub/security/AST-2013-003.html

x_refsource_CONFIRM

https://issues.asterisk.org/jira/browse/ASTERISK-21013

x_refsource_CONFIRM

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Apr 1, 2013