FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

asterisk -- PJSIP endpoint presence disclosure when using ACL

Affected packages
asterisk13 < 13.21.1
asterisk15 < 15.4.1

Details

VuXML ID 0137167b-6dca-11e8-a671-001999f8d30b
Discovery 2018-06-11
Entry 2018-06-11

The Asterisk project reports:

When endpoint specific ACL rules block a SIP request they respond with a 403 forbidden. However, if an endpoint is not identified then a 401 unauthorized response is sent. This vulnerability just discloses which requests hit a defined endpoint. The ACL rules cannot be bypassed to gain access to the disclosed endpoints.

References

URL https://downloads.asterisk.org/pub/security/AST-2018-008.html