CVE-2009-3727 - Vulnerability Details

Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, 1.6.0.x before 1.6.0.17, and 1.6.1.x before 1.6.1.9; Business Edition A.x.x, B.x.x before B.2.5.12, C.2.x.x before C.2.4.5, and C.3.x.x before C.3.2.2; AsteriskNOW 1.5; and s800i 1.3.x before 1.3.0.5 generate different error messages depending on whether a SIP username is valid, which allows remote attackers to enumerate valid usernames via multiple crafted REGISTER messages with inconsistent usernames in the URI in the To header and the Digest in the Authorization header.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.0072.

Key SSVC decision points have not yet been added.

Vendors	Products
Digium Subscribe	Asterisk Subscribe Asterisknow Subscribe S800i Subscribe

Configuration 1 [-]

OR	cpe:2.3:a:digium:asterisk:1.2.0:::::::*
	cpe:2.3:a:digium:asterisk:1.2.0:beta1::::::
	cpe:2.3:a:digium:asterisk:1.2.0:beta2::::::
	cpe:2.3:a:digium:asterisk:1.2.0:rc1::::::
	cpe:2.3:a:digium:asterisk:1.2.0:rc2::::::
	cpe:2.3:a:digium:asterisk:1.2.1:::::::*
	cpe:2.3:a:digium:asterisk:1.2.2:::::::*
	cpe:2.3:a:digium:asterisk:1.2.2:netsec::::::
	cpe:2.3:a:digium:asterisk:1.2.3:::::::*
	cpe:2.3:a:digium:asterisk:1.2.3:netsec::::::
	cpe:2.3:a:digium:asterisk:1.2.10:::::::*
	cpe:2.3:a:digium:asterisk:1.2.10:netsec::::::
	cpe:2.3:a:digium:asterisk:1.2.11:::::::*
	cpe:2.3:a:digium:asterisk:1.2.11:netsec::::::
	cpe:2.3:a:digium:asterisk:1.2.12:::::::*
	cpe:2.3:a:digium:asterisk:1.2.12:netsec::::::
	cpe:2.3:a:digium:asterisk:1.2.12.1:::::::*
	cpe:2.3:a:digium:asterisk:1.2.12.1:netsec::::::
	cpe:2.3:a:digium:asterisk:1.2.13:::::::*
	cpe:2.3:a:digium:asterisk:1.2.13:netsec::::::
	cpe:2.3:a:digium:asterisk:1.2.14:::::::*
	cpe:2.3:a:digium:asterisk:1.2.15:::::::*
	cpe:2.3:a:digium:asterisk:1.2.15:netsec::::::
	cpe:2.3:a:digium:asterisk:1.2.16:::::::*
	cpe:2.3:a:digium:asterisk:1.2.16:netsec::::::
	cpe:2.3:a:digium:asterisk:1.2.17:::::::*
	cpe:2.3:a:digium:asterisk:1.2.17:netsec::::::
	cpe:2.3:a:digium:asterisk:1.2.18:::::::*
	cpe:2.3:a:digium:asterisk:1.2.18:netsec::::::
	cpe:2.3:a:digium:asterisk:1.2.19:::::::*
	cpe:2.3:a:digium:asterisk:1.2.19:netsec::::::
	cpe:2.3:a:digium:asterisk:1.2.20:::::::*
	cpe:2.3:a:digium:asterisk:1.2.20:netsec::::::
	cpe:2.3:a:digium:asterisk:1.2.21:::::::*
	cpe:2.3:a:digium:asterisk:1.2.21:netsec::::::
	cpe:2.3:a:digium:asterisk:1.2.21.1:::::::*
	cpe:2.3:a:digium:asterisk:1.2.21.1:netsec::::::
	cpe:2.3:a:digium:asterisk:1.2.22:::::::*
	cpe:2.3:a:digium:asterisk:1.2.22:netsec::::::
	cpe:2.3:a:digium:asterisk:1.2.23:::::::*
	cpe:2.3:a:digium:asterisk:1.2.23:netsec::::::
	cpe:2.3:a:digium:asterisk:1.2.24:::::::*
	cpe:2.3:a:digium:asterisk:1.2.24:netsec::::::
	cpe:2.3:a:digium:asterisk:1.2.25:::::::*
	cpe:2.3:a:digium:asterisk:1.2.25:netsec::::::
	cpe:2.3:a:digium:asterisk:1.2.26:::::::*
	cpe:2.3:a:digium:asterisk:1.2.26:netsec::::::
	cpe:2.3:a:digium:asterisk:1.2.26.1:::::::*
	cpe:2.3:a:digium:asterisk:1.2.26.1:netsec::::::
	cpe:2.3:a:digium:asterisk:1.2.26.2:::::::*
	cpe:2.3:a:digium:asterisk:1.2.26.2:netsec::::::
	cpe:2.3:a:digium:asterisk:1.2.27:::::::*
	cpe:2.3:a:digium:asterisk:1.2.28:::::::*
	cpe:2.3:a:digium:asterisk:1.2.28.1:::::::*
	cpe:2.3:a:digium:asterisk:1.2.29:::::::*
	cpe:2.3:a:digium:asterisk:1.2.30:::::::*
	cpe:2.3:a:digium:asterisk:1.2.30.1:::::::*
	cpe:2.3:a:digium:asterisk:1.2.30.2:::::::*
	cpe:2.3:a:digium:asterisk:1.2.30.3:::::::*
	cpe:2.3:a:digium:asterisk:1.2.30.4:::::::*
	cpe:2.3:a:digium:asterisk:1.2.31:::::::*
	cpe:2.3:a:digium:asterisk:1.2.31.1:::::::*
	cpe:2.3:a:digium:asterisk:1.2.32:::::::*
	cpe:2.3:a:digium:asterisk:1.2.33:::::::*
cpe:2.3:a:digium:asterisk:1.2.34:::::::*
cpe:2.3:a:digium:asterisk:1.4.0:::::::*
cpe:2.3:a:digium:asterisk:1.4.0:beta1::::::
cpe:2.3:a:digium:asterisk:1.4.0:beta2::::::
cpe:2.3:a:digium:asterisk:1.4.0:beta3::::::
cpe:2.3:a:digium:asterisk:1.4.0:beta4::::::
cpe:2.3:a:digium:asterisk:1.4.1:::::::*
cpe:2.3:a:digium:asterisk:1.4.2:::::::*
cpe:2.3:a:digium:asterisk:1.4.3:::::::*
cpe:2.3:a:digium:asterisk:1.4.4:::::::*
cpe:2.3:a:digium:asterisk:1.4.5:::::::*
cpe:2.3:a:digium:asterisk:1.4.6:::::::*
cpe:2.3:a:digium:asterisk:1.4.7:::::::*
cpe:2.3:a:digium:asterisk:1.4.7.1:::::::*
cpe:2.3:a:digium:asterisk:1.4.8:::::::*
cpe:2.3:a:digium:asterisk:1.4.9:::::::*
cpe:2.3:a:digium:asterisk:1.4.10:::::::*
cpe:2.3:a:digium:asterisk:1.4.10.1:::::::*
cpe:2.3:a:digium:asterisk:1.4.11:::::::*
cpe:2.3:a:digium:asterisk:1.4.12:::::::*
cpe:2.3:a:digium:asterisk:1.4.12.1:::::::*
cpe:2.3:a:digium:asterisk:1.4.13:::::::*
cpe:2.3:a:digium:asterisk:1.4.14:::::::*
cpe:2.3:a:digium:asterisk:1.4.15:::::::*
cpe:2.3:a:digium:asterisk:1.4.16:::::::*
cpe:2.3:a:digium:asterisk:1.4.16.1:::::::*
cpe:2.3:a:digium:asterisk:1.4.16.2:::::::*
cpe:2.3:a:digium:asterisk:1.4.17:::::::*
cpe:2.3:a:digium:asterisk:1.4.18:::::::*
cpe:2.3:a:digium:asterisk:1.4.19:::::::*
cpe:2.3:a:digium:asterisk:1.4.19:rc1::::::
cpe:2.3:a:digium:asterisk:1.4.19:rc2::::::
cpe:2.3:a:digium:asterisk:1.4.19:rc3::::::
cpe:2.3:a:digium:asterisk:1.4.19:rc4::::::
cpe:2.3:a:digium:asterisk:1.4.19.1:::::::*
cpe:2.3:a:digium:asterisk:1.4.19.2:::::::*
cpe:2.3:a:digium:asterisk:1.4.20:::::::*
cpe:2.3:a:digium:asterisk:1.4.20:rc1::::::
cpe:2.3:a:digium:asterisk:1.4.20:rc2::::::
cpe:2.3:a:digium:asterisk:1.4.20:rc3::::::
cpe:2.3:a:digium:asterisk:1.4.20.1:::::::*
cpe:2.3:a:digium:asterisk:1.4.21:::::::*
cpe:2.3:a:digium:asterisk:1.4.21:rc1::::::
cpe:2.3:a:digium:asterisk:1.4.21:rc2::::::
cpe:2.3:a:digium:asterisk:1.4.21.1:::::::*
cpe:2.3:a:digium:asterisk:1.4.21.2:::::::*
cpe:2.3:a:digium:asterisk:1.4.22:::::::*
cpe:2.3:a:digium:asterisk:1.4.22:rc1::::::
cpe:2.3:a:digium:asterisk:1.4.22:rc2::::::
cpe:2.3:a:digium:asterisk:1.4.22:rc3::::::
cpe:2.3:a:digium:asterisk:1.4.22:rc4::::::
cpe:2.3:a:digium:asterisk:1.4.22:rc5::::::
cpe:2.3:a:digium:asterisk:1.4.22.1:::::::*
cpe:2.3:a:digium:asterisk:1.4.22.2:::::::*
cpe:2.3:a:digium:asterisk:1.4.23:::::::*
cpe:2.3:a:digium:asterisk:1.4.23:rc1::::::
cpe:2.3:a:digium:asterisk:1.4.23:rc2::::::
cpe:2.3:a:digium:asterisk:1.4.23:rc3::::::
cpe:2.3:a:digium:asterisk:1.4.23:rc4::::::
cpe:2.3:a:digium:asterisk:1.4.23.1:::::::*
cpe:2.3:a:digium:asterisk:1.4.23.2:::::::*
cpe:2.3:a:digium:asterisk:1.4.24:::::::*
cpe:2.3:a:digium:asterisk:1.4.24:rc1::::::
cpe:2.3:a:digium:asterisk:1.4.24.1:::::::*
cpe:2.3:a:digium:asterisk:1.4.25:::::::*
cpe:2.3:a:digium:asterisk:1.4.25:rc1::::::
cpe:2.3:a:digium:asterisk:1.4.25.1:::::::*
cpe:2.3:a:digium:asterisk:1.4.26:::::::*
cpe:2.3:a:digium:asterisk:1.4.26:rc1::::::
cpe:2.3:a:digium:asterisk:1.4.26:rc2::::::
cpe:2.3:a:digium:asterisk:1.4.26:rc3::::::
cpe:2.3:a:digium:asterisk:1.4.26:rc4::::::
cpe:2.3:a:digium:asterisk:1.4.26:rc5::::::
cpe:2.3:a:digium:asterisk:1.4.26:rc6::::::
cpe:2.3:a:digium:asterisk:1.4.26.1:::::::*
cpe:2.3:a:digium:asterisk:1.4.26.2:::::::*
cpe:2.3:a:digium:asterisk:1.6.0:::::::*
cpe:2.3:a:digium:asterisk:1.6.0:beta1::::::
cpe:2.3:a:digium:asterisk:1.6.0:beta2::::::
cpe:2.3:a:digium:asterisk:1.6.0:beta3::::::
cpe:2.3:a:digium:asterisk:1.6.0:beta4::::::
cpe:2.3:a:digium:asterisk:1.6.0:beta5::::::
cpe:2.3:a:digium:asterisk:1.6.0:beta6::::::
cpe:2.3:a:digium:asterisk:1.6.0:beta7::::::
cpe:2.3:a:digium:asterisk:1.6.0:beta7.1::::::
cpe:2.3:a:digium:asterisk:1.6.0:beta8::::::
cpe:2.3:a:digium:asterisk:1.6.0:beta9::::::
cpe:2.3:a:digium:asterisk:1.6.0:rc4::::::
cpe:2.3:a:digium:asterisk:1.6.0:rc5::::::
cpe:2.3:a:digium:asterisk:1.6.0:rc6::::::
cpe:2.3:a:digium:asterisk:1.6.0.1:::::::*
cpe:2.3:a:digium:asterisk:1.6.0.2:::::::*
cpe:2.3:a:digium:asterisk:1.6.0.3:::::::*
cpe:2.3:a:digium:asterisk:1.6.0.3:rc1::::::
cpe:2.3:a:digium:asterisk:1.6.0.4:rc1::::::
cpe:2.3:a:digium:asterisk:1.6.0.5:::::::*
cpe:2.3:a:digium:asterisk:1.6.0.6:::::::*
cpe:2.3:a:digium:asterisk:1.6.0.7:::::::*
cpe:2.3:a:digium:asterisk:1.6.0.8:::::::*
cpe:2.3:a:digium:asterisk:1.6.0.9:::::::*
cpe:2.3:a:digium:asterisk:1.6.0.10:::::::*
cpe:2.3:a:digium:asterisk:1.6.0.11:::::::*
cpe:2.3:a:digium:asterisk:1.6.0.11:rc1::::::
cpe:2.3:a:digium:asterisk:1.6.0.11:rc2::::::
cpe:2.3:a:digium:asterisk:1.6.0.14:::::::*
cpe:2.3:a:digium:asterisk:1.6.0.14:rc1::::::
cpe:2.3:a:digium:asterisk:1.6.0.15:::::::*
cpe:2.3:a:digium:asterisk:1.6.0.16:::::::*
cpe:2.3:a:digium:asterisk:1.6.0.16:rc1::::::
cpe:2.3:a:digium:asterisk:1.6.0.16:rc2::::::
cpe:2.3:a:digium:asterisk:1.6.1.0:::::::*
cpe:2.3:a:digium:asterisk:1.6.1.0:rc2::::::
cpe:2.3:a:digium:asterisk:1.6.1.0:rc3::::::
cpe:2.3:a:digium:asterisk:1.6.1.0:rc4::::::
cpe:2.3:a:digium:asterisk:1.6.1.0:rc5::::::
cpe:2.3:a:digium:asterisk:1.6.1.1:::::::*
cpe:2.3:a:digium:asterisk:1.6.1.2:::::::*
cpe:2.3:a:digium:asterisk:1.6.1.3:rc1::::::
cpe:2.3:a:digium:asterisk:1.6.1.4:::::::*
cpe:2.3:a:digium:asterisk:1.6.1.5:::::::*
cpe:2.3:a:digium:asterisk:1.6.1.5:rc1::::::
cpe:2.3:a:digium:asterisk:1.6.1.6:::::::*
cpe:2.3:a:digium:asterisk:1.6.1.7:rc1::::::
cpe:2.3:a:digium:asterisk:1.6.1.7:rc2::::::
cpe:2.3:a:digium:asterisk:1.6.1.8:::::::*
cpe:2.3:a:digium:asterisk:1.6.1.10:rc1::::::
cpe:2.3:a:digium:asterisk:1.6.1.10:rc2::::::

Configuration 2 [-]

cpe:2.3:a:digium:asterisknow:1.5:*:*:*:*:*:*:*

Configuration 3 [-]

OR	cpe:2.3:h:digium:s800i:1.3.0:::::::*
	cpe:2.3:h:digium:s800i:1.3.0.2:::::::*
	cpe:2.3:h:digium:s800i:1.3.0.3:::::::*
	cpe:2.3:h:digium:s800i:1.3.0.4:::::::*

Configuration 4 [-]

OR	cpe:2.3:a:digium:asterisk:a:-:business:::::*
	cpe:2.3:a:digium:asterisk:b:-:business:::::*
	cpe:2.3:a:digium:asterisk:b.1.3.2:-:business:::::*
	cpe:2.3:a:digium:asterisk:b.1.3.3:-:business:::::*
	cpe:2.3:a:digium:asterisk:b.2.2.0:-:business:::::*
	cpe:2.3:a:digium:asterisk:b.2.2.1:-:business:::::*
	cpe:2.3:a:digium:asterisk:b.2.3.1:-:business:::::*
	cpe:2.3:a:digium:asterisk:b.2.3.2:-:business:::::*
	cpe:2.3:a:digium:asterisk:b.2.3.3:-:business:::::*
	cpe:2.3:a:digium:asterisk:b.2.3.4:-:business:::::*
	cpe:2.3:a:digium:asterisk:b.2.3.5:-:business:::::*
	cpe:2.3:a:digium:asterisk:b.2.3.6:-:business:::::*
	cpe:2.3:a:digium:asterisk:b.2.5.0:-:business:::::*
	cpe:2.3:a:digium:asterisk:b.2.5.1:-:business:::::*
	cpe:2.3:a:digium:asterisk:b.2.5.2:-:business:::::*
	cpe:2.3:a:digium:asterisk:b.2.5.3:-:business:::::*
	cpe:2.3:a:digium:asterisk:c:-:business:::::*
	cpe:2.3:a:digium:asterisk:c.2.3:-:business:::::*
	cpe:2.3:a:digium:asterisk:c.3.0:-:business:::::*

No data.

Advisories

Source	ID	Title
Debian DSA	DSA-1952-1	New asterisk packages fix several vulnerabilities
EUVD	EUVD-2009-3699	Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, 1.6.0.x before 1.6.0.17, and 1.6.1.x before 1.6.1.9; Business Edition A.x.x, B.x.x before B.2.5.12, C.2.x.x before C.2.4.5, and C.3.x.x before C.3.2.2; AsteriskNOW 1.5; and s800i 1.3.x before 1.3.0.5 generate different error messages depending on whether a SIP username is valid, which allows remote attackers to enumerate valid usernames via multiple crafted REGISTER messages with inconsistent usernames in the URI in the To header and the Digest in the Authorization header.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://downloads.asterisk.org/pub/security/AST-2009-008.html
http://osvdb.org/59697
http://secunia.com/advisories/37265
http://secunia.com/advisories/37479
http://secunia.com/advisories/37677
http://www.debian.org/security/2009/dsa-1952
http://www.securityfocus.com/bid/36924
http://www.securitytracker.com/id?1023133
https://bugzilla.redhat.com/show_bug.cgi?id=523277
https://bugzilla.redhat.com/show_bug.cgi?id=533137
https://www.cve.org/CVERecord?id=CVE-2009-3727
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00789.html
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00838.html

History

Wed, 28 May 2025 14:45:00 +0000

Type	Values Removed	Values Added
References		https://www.cve.org/CVERecord?id=CVE-2009-3727

Thu, 22 May 2025 04:30:00 +0000

Type	Values Removed	Values Added
References	https://nvd.nist.gov/vuln/detail/CVE-2009-3727 https://www.cve.org/CVERecord?id=CVE-2009-3727

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2009-11-10T18:00:00

Updated: 2024-08-07T06:38:30.134Z

Reserved: 2009-10-16T00:00:00

Link: CVE-2009-3727

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2009-11-10T18:30:00.250

Modified: 2025-04-09T00:30:58.490

Link: CVE-2009-3727

Redhat

Severity : Moderate

Publid Date: 2009-11-04T00:00:00Z

Links: CVE-2009-3727 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-200

Metrics

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Projects

Metrics

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object