CVE-2011-2666
EPSS 0.59%
Description
The default configuration of the SIP channel driver in Asterisk Open Source 1.4.x through 1.4.41.2 and 1.6.2.x through 1.6.2.18.2 does not enable the alwaysauthreject option, which allows remote attackers to enumerate account names by making a series of invalid SIP requests and observing the differences in the responses for different usernames, a different vulnerability than CVE-2011-2536.
How to fix CVE-2011-2666
To remediate CVE-2011-2666, upgrade the affected package to a fixed version below.
- Debian/asterisk—upgrade to 1:1.8.3.3-1 or later
Is CVE-2011-2666 being exploited?
Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1:1.8.3.3-1