CVE-2013-2264

01.04.2013, 16:55

The SIP channel driver in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; Asterisk Business Edition (BE) C.3.x before C.3.8.1; and Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones exhibits different behavior for invalid INVITE, SUBSCRIBE, and REGISTER transactions depending on whether the user account exists, which allows remote attackers to enumerate account names by (1) reading HTTP status codes, (2) reading additional text in a 403 (aka Forbidden) response, or (3) observing whether certain retransmissions occur.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Vector
NIST	NIST	5 UNKNOWN	NETWORK	LOW	AV:N/AC:L/Au:N/C:P/I:N/A:N
mitre	CNA	---			---
CVE	ADP	---			---

Base Score

CVSS 3.x

EPSS Score

Percentile: 39%

Vendor	Product	Version
asterisk	open_source	1.8.0
asterisk	open_source	1.8.0:beta1
asterisk	open_source	1.8.0:beta2
asterisk	open_source	1.8.0:beta3
asterisk	open_source	1.8.0:beta4
asterisk	open_source	1.8.0:beta5
asterisk	open_source	1.8.0:rc2
asterisk	open_source	1.8.0:rc3
asterisk	open_source	1.8.0:rc4
asterisk	open_source	1.8.0:rc5
asterisk	open_source	1.8.1
asterisk	open_source	1.8.1:rc1
asterisk	open_source	1.8.1.1
asterisk	open_source	1.8.1.2
asterisk	open_source	1.8.2
asterisk	open_source	1.8.2:rc1
asterisk	open_source	1.8.2.1
asterisk	open_source	1.8.2.2
asterisk	open_source	1.8.2.3
asterisk	open_source	1.8.2.4
asterisk	open_source	1.8.3
asterisk	open_source	1.8.3:rc1
asterisk	open_source	1.8.3:rc2
asterisk	open_source	1.8.3:rc3
asterisk	open_source	1.8.3.1
asterisk	open_source	1.8.3.2
asterisk	open_source	1.8.3.3
asterisk	open_source	1.8.4
asterisk	open_source	1.8.4:rc1
asterisk	open_source	1.8.4:rc2
asterisk	open_source	1.8.4:rc3
asterisk	open_source	1.8.4.1
asterisk	open_source	1.8.4.2
asterisk	open_source	1.8.4.3
asterisk	open_source	1.8.4.4
asterisk	open_source	1.8.5:rc1
asterisk	open_source	1.8.5.0
asterisk	open_source	1.8.6.0
asterisk	open_source	1.8.6.0:rc1
asterisk	open_source	1.8.6.0:rc2
asterisk	open_source	1.8.6.0:rc3
asterisk	open_source	1.8.7.0
asterisk	open_source	1.8.7.0:rc1
asterisk	open_source	1.8.7.0:rc2
asterisk	open_source	1.8.7.1
asterisk	open_source	1.8.7.2
asterisk	open_source	1.8.8.0
asterisk	open_source	1.8.8.0:rc1
asterisk	open_source	1.8.8.0:rc2
asterisk	open_source	1.8.8.0:rc3
asterisk	open_source	1.8.8.0:rc4
asterisk	open_source	1.8.8.0:rc5
asterisk	open_source	1.8.8.1
asterisk	open_source	1.8.8.2
asterisk	open_source	1.8.9.0
asterisk	open_source	1.8.9.0:rc1
asterisk	open_source	1.8.9.0:rc2
asterisk	open_source	1.8.9.0:rc3
asterisk	open_source	1.8.9.1
asterisk	open_source	1.8.9.2
asterisk	open_source	1.8.9.3
asterisk	open_source	1.8.10.0
asterisk	open_source	1.8.10.0:rc1
asterisk	open_source	1.8.10.0:rc2
asterisk	open_source	1.8.10.0:rc3
asterisk	open_source	1.8.10.0:rc4
asterisk	open_source	1.8.10.1
asterisk	open_source	1.8.11.0
asterisk	open_source	1.8.11.0:rc2
asterisk	open_source	1.8.11.0:rc3
asterisk	open_source	1.8.11.1
asterisk	open_source	1.8.12
asterisk	open_source	1.8.12.0:rc1
asterisk	open_source	1.8.12.0:rc2
asterisk	open_source	1.8.12.0:rc3
asterisk	open_source	1.8.12.1
asterisk	open_source	1.8.12.2
asterisk	open_source	1.8.13.0
asterisk	open_source	1.8.13.0:rc1
asterisk	open_source	1.8.13.0:rc2
asterisk	open_source	1.8.13.1
asterisk	open_source	1.8.14.0
asterisk	open_source	1.8.14.0:rc1
asterisk	open_source	1.8.14.0:rc2
asterisk	open_source	1.8.14.1
asterisk	open_source	1.8.15.0
asterisk	open_source	1.8.15.0:rc1
asterisk	open_source	1.8.15.1
asterisk	open_source	1.8.16.0
asterisk	open_source	1.8.16.0:rc1
asterisk	open_source	1.8.16.0:rc2
asterisk	open_source	1.8.17.0
asterisk	open_source	1.8.17.0:rc1
asterisk	open_source	1.8.17.0:rc2
asterisk	open_source	1.8.17.0:rc3
asterisk	open_source	1.8.18.0
asterisk	open_source	1.8.18.0:rc1
asterisk	open_source	1.8.18.1
asterisk	open_source	1.8.19.0
asterisk	open_source	1.8.19.0:rc1
asterisk	open_source	1.8.19.0:rc3
asterisk	open_source	1.8.19.1
asterisk	open_source	1.8.20.0
asterisk	open_source	1.8.20.0:rc1
asterisk	open_source	1.8.20.0:rc2
asterisk	open_source	1.8.20.1
asterisk	open_source	10.0.0
asterisk	open_source	10.0.0:beta1
asterisk	open_source	10.0.0:beta2
asterisk	open_source	10.0.0:rc1
asterisk	open_source	10.0.0:rc2
asterisk	open_source	10.0.0:rc3
asterisk	open_source	10.0.1
asterisk	open_source	10.1.0
asterisk	open_source	10.1.0:rc1
asterisk	open_source	10.1.0:rc2
asterisk	open_source	10.1.1
asterisk	open_source	10.1.2
asterisk	open_source	10.1.3
asterisk	open_source	10.2.0
asterisk	open_source	10.2.0:rc1
asterisk	open_source	10.2.0:rc2
asterisk	open_source	10.2.0:rc3
asterisk	open_source	10.2.0:rc4
asterisk	open_source	10.2.1
asterisk	open_source	10.3.0
asterisk	open_source	10.3.0:rc2
asterisk	open_source	10.3.0:rc3
asterisk	open_source	10.3.1
asterisk	open_source	10.4.0
asterisk	open_source	10.4.0:rc1
asterisk	open_source	10.4.0:rc2
asterisk	open_source	10.4.0:rc3
asterisk	open_source	10.4.1
asterisk	open_source	10.4.2
asterisk	open_source	10.5.0
asterisk	open_source	10.5.0:rc1
asterisk	open_source	10.5.0:rc2
asterisk	open_source	10.5.1
asterisk	open_source	10.5.2
asterisk	open_source	10.6.0
asterisk	open_source	10.6.0:rc1
asterisk	open_source	10.6.0:rc2
asterisk	open_source	10.6.1
asterisk	open_source	10.7.0
asterisk	open_source	10.7.0:rc1
asterisk	open_source	10.7.1
asterisk	open_source	10.8.0
asterisk	open_source	10.8.0:rc1
asterisk	open_source	10.8.0:rc2
asterisk	open_source	10.9.0
asterisk	open_source	10.9.0:rc1
asterisk	open_source	10.9.0:rc2
asterisk	open_source	10.9.0:rc3
asterisk	open_source	10.10.0
asterisk	open_source	10.10.0:rc1
asterisk	open_source	10.10.0:rc2
asterisk	open_source	10.10.1
asterisk	open_source	10.11.0
asterisk	open_source	10.11.0:rc1
asterisk	open_source	10.11.0:rc3
asterisk	open_source	10.11.1
asterisk	open_source	10.12.0
asterisk	open_source	10.12.0:rc1
asterisk	open_source	10.12.0:rc2
asterisk	open_source	10.12.1
asterisk	open_source	11.0.0
asterisk	open_source	11.0.0:beta1
asterisk	open_source	11.0.0:beta2
asterisk	open_source	11.0.0:rc1
asterisk	open_source	11.0.0:rc2
asterisk	open_source	11.0.1
asterisk	open_source	11.0.2
asterisk	open_source	11.1.0
asterisk	open_source	11.1.0:rc1
asterisk	open_source	11.1.0:rc3
asterisk	open_source	11.1.1
asterisk	open_source	11.1.2
asterisk	open_source	11.2.0
asterisk	open_source	11.2.0:rc1
asterisk	open_source	11.2.0:rc2
asterisk	open_source	11.2.1
asterisk	certified_asterisk	1.8.15:cert1
asterisk	certified_asterisk	1.8.15:cert1
asterisk	certified_asterisk	1.8.15:cert1
asterisk	certified_asterisk	1.8.15:cert1
asterisk	certified_asterisk	1.8.15.0
asterisk	certified_asterisk	1.8.15.0:rc1
asterisk	digiumphones	10.0.0
asterisk	digiumphones	10.0.0:beta1
asterisk	digiumphones	10.0.0:beta2
asterisk	digiumphones	10.0.0:rc1
asterisk	digiumphones	10.0.0:rc2
asterisk	digiumphones	10.0.0:rc3
asterisk	digiumphones	10.1.0
asterisk	digiumphones	10.1.0:rc1
asterisk	digiumphones	10.1.0:rc2
asterisk	digiumphones	10.2.0
asterisk	digiumphones	10.2.0:rc1
asterisk	digiumphones	10.2.0:rc2
asterisk	digiumphones	10.2.0:rc3
asterisk	digiumphones	10.2.0:rc4
asterisk	digiumphones	10.3.0
asterisk	digiumphones	10.3.0:rc2
asterisk	digiumphones	10.3.0:rc3
asterisk	digiumphones	10.4.0
asterisk	digiumphones	10.4.0:rc1
asterisk	digiumphones	10.4.0:rc2
asterisk	digiumphones	10.4.0:rc3
asterisk	digiumphones	10.5.0
asterisk	digiumphones	10.5.0:rc1
asterisk	digiumphones	10.5.0:rc2
asterisk	digiumphones	10.6.0
asterisk	digiumphones	10.6.0:rc1
asterisk	digiumphones	10.6.0:rc2
asterisk	digiumphones	10.7.0
asterisk	digiumphones	10.7.0:rc1
asterisk	digiumphones	10.8.0
asterisk	digiumphones	10.8.0:rc1
asterisk	digiumphones	10.8.0:rc2
asterisk	digiumphones	10.9.0:rc1
asterisk	digiumphones	10.10.0
asterisk	digiumphones	10.10.0:rc1
asterisk	digiumphones	10.10.0:rc2
asterisk	digiumphones	10.11.0
asterisk	digiumphones	10.11.0:rc1
asterisk	digiumphones	10.11.0:rc2
asterisk	digiumphones	10.11.0:rc3
asterisk	digiumphones	10.12.0
asterisk	digiumphones	10.12.0:rc1
asterisk	digiumphones	10.12.0:rc2
asterisk	digiumphones	10.12.1

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

asterisk

bullseye	1:16.28.0~dfsg-0+deb11u4 fixed
squeeze	no-dsa
bullseye (security)	1:16.28.0~dfsg-0+deb11u5 fixed
sid	1:22.0.0~dfsg+~cs6.14.60671435-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

asterisk

zesty	not-affected
yakkety	not-affected
xenial	not-affected
wily	not-affected
vivid	not-affected
utopic	not-affected
trusty	dne
saucy	ignored
raring	ignored
quantal	ignored
precise	ignored
oneiric	ignored
lucid	ignored
hardy	ignored

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

http://downloads.asterisk.org/pub/security/AST-2013-003.html

https://issues.asterisk.org/jira/browse/ASTERISK-21013

http://downloads.asterisk.org/pub/security/AST-2013-003.html

https://issues.asterisk.org/jira/browse/ASTERISK-21013