CVE-2011-4597 — asterisk - several

Description

The SIP over UDP implementation in Asterisk Open Source 1.4.x before 1.4.43, 1.6.x before 1.6.2.21, and 1.8.x before 1.8.7.2 uses different port numbers for responses to invalid requests depending on whether a SIP username exists, which allows remote attackers to enumerate usernames via a series of requests.

How to fix CVE-2011-4597

To remediate CVE-2011-4597, upgrade the affected package to a fixed version below.

Debian/asterisk—upgrade to 1:1.8.8.0~dfsg-1 or later
Debian/asterisk—upgrade to 1:1.6.2.9-2+squeeze4 or later

Is CVE-2011-4597 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1:1.8.8.0~dfsg-1
from 0, < 1:1.6.2.9-2+squeeze4

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2011-4597