CVE-2011-4597 — Sensitive Information Exposure in Asterisk

CWE-200 — Sensitive Information Exposure5 documents5 sources

Severity

5.0MEDIUMNVD

EPSS

0.7%

top 28.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Digium Asterisk Debian Asterisk

Timeline

PublishedDec 15

Latest updateMay 17

Description

The SIP over UDP implementation in Asterisk Open Source 1.4.x before 1.4.43, 1.6.x before 1.6.2.21, and 1.8.x before 1.8.7.2 uses different port numbers for responses to invalid requests depending on whether a SIP username exists, which allows remote attackers to enumerate usernames via a series of requests.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/asterisk< asterisk 1:1.8.8.0~dfsg-1 (bullseye)

▶Debiandigium/asterisk< 1:1.8.8.0~dfsg-1

▶NVDdigium/asterisk113 versions+112

🔴Vulnerability Details

GHSA

GHSA-x8j5-r4w2-j865: The SIP over UDP implementation in Asterisk Open Source 1↗2022-05-17

▶

OSV

CVE-2011-4597: The SIP over UDP implementation in Asterisk Open Source 1↗2011-12-15

▶

📋Vendor Advisories

Debian

CVE-2011-4597: asterisk - The SIP over UDP implementation in Asterisk Open Source 1.4.x before 1.4.43, 1.6...↗2011

▶

💬Community

Bugzilla

CVE-2011-4597 asterisk: Possible to enumerate SIP usernames when general and user/peer NAT settings differed (AST-2011-013)↗2011-12-09

▶