Asterisk认证SIP响应用户名枚举漏洞

- AV AC AU C I A
发布: 2025-04-13
修订: 2025-04-13

BUGTRAQ ID: 34353 CVE(CAN) ID: CVE-2008-3903 Asterisk是开放源码的软件PBX,支持各种VoIP协议和设备。 如果启用了Digest认证的话,Asterisk PBX对登录期间所尝试的有效和无效SIP用户名会返回不同的响应,远程攻击者可以通过暴力猜测枚举出有效的用户名。 Asterisk Asterisk 1.6.0.x Asterisk Asterisk 1.4.x Asterisk Asterisk 1.2.x Asterisk Business Edition C.2.x.x Asterisk Business Edition C.1.x.x Asterisk Business Edition B.x.x Asterisk s800i 1.3.x Asterisk -------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://downloads.digium.com/pub/asa/AST-2009-003-1.2.diff.txt target=_blank rel=external nofollow>http://downloads.digium.com/pub/asa/AST-2009-003-1.2.diff.txt</a> <a href=http://downloads.digium.com/pub/asa/AST-2009-003-1.4.diff.txt target=_blank rel=external nofollow>http://downloads.digium.com/pub/asa/AST-2009-003-1.4.diff.txt</a> <a href=http://downloads.digium.com/pub/asa/AST-2009-003-1.6.0.diff.txt target=_blank rel=external nofollow>http://downloads.digium.com/pub/asa/AST-2009-003-1.6.0.diff.txt</a> <a...

0%

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息