[SIPForum-techwg] Fwd: [Sip-implementors] Security issue in SIPconnect 1.1?

Olle E. Johansson oej at edvina.net
Fri Dec 16 18:00:14 EST 2011 

Kevin and I agreed that there is a security issue in SIPconnect 1.1 that needs to be addressed. See following conversation.

/O

Vidarebefordrat brev:

> Från: "Kevin P. Fleming" <kpfleming at digium.com>
> Ämne: Re: [Sip-implementors] Security issue in SIPconnect 1.1?
> Datum: 16 december 2011 17:54:38 CET
> Till: sip-implementors at lists.cs.columbia.edu
> 
> On 12/16/2011 06:34 AM, Olle E. Johansson wrote:
>> "
>> 15.4.1.3
>> Unknown SIP-PBX Identity
>> The SP-SSE MUST issue a 404 Not Found response to a REGISTER request, if the Registration AOR of the SIP-PBX is not found in its database. An SIP-PBX receiving such a response to a REGISTER request MUST consider the Registration attempt to have failed, and notify the SIP-PBX administrator if possible through some means. The SIP-PBX SHOULD follow the backoff procedures defined previously in Section 15.4.1.1.
>> "
>> 
>> 
>> This means that it will be easy to find accounts in a SIP connect compliant service. If an account exists, I'll get an authentication response. Otherwise I will get a 404. This is something we fixed in Asterisk a long time ago in order to not make it easy to find existing accounts.
> 
> Indeed, and we continue to deal with additional cases where the response 
> behavior differs between known and unknown AoRs or request URIs. I agree 
> with Olle here, this provision of SIPconnect 1.1 should be modified to 
> indicate that the SP-SSE MUST respond with an authentication challenge 
> regardless of whether the AoR in the attempted registration is found in 
> its database or not.
> 
> Olle, do you want to take this to the SIPForum 'techwg' list? If not, I 
> will.
> 
> -- 
> Kevin P. Fleming
> Digium, Inc. | Director of Software Technologies
> Jabber: kfleming at digium.com | SIP: kpfleming at digium.com | Skype: kpfleming
> 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
> Check us out at www.digium.com & www.asterisk.org
> _______________________________________________
> Sip-implementors mailing list
> Sip-implementors at lists.cs.columbia.edu
> https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors

---
* Olle E Johansson - oej at edvina.net
* Cell phone +46 70 593 68 51, Office +46 8 96 40 20, Sweden

More information about the techwg mailing list