Asterisk, sip response permit username identification

Author: francesco.tornieri \"At\" verona-wireless.net 
Summary: Sip responses permit user identification
Release Date: 16/04/2011
Criticality level: Low
Impact: Information leak
Software: Asterisk 1.4.x (tested 1.4.40) 
    Asterisk 1.6.x (tested 1.6.2.17.2)
    Asterisk 1.8.x isn't affected (tested 1.8.3.2)

Description:
It's possible to enumerate valide sip username through use INVITE request method instead of REGISTER method (a similar problem has been fixed by Digium in 2009 and has been described in this document http://downloads.asterisk.org/pub/security/AST-2009-003.html)

Example:
PBX Asterisk:
----------
sip.conf
----------
[general]
context=outgoing
port=5060
bindaddr=192.168.1.1
realm=asterisk
allowguest=no    
alwaysauthreject=yes    <----

[template](!)
type=friend
canreinvite=no
host=dynamic
qualify=1000
disallow=all
allow=g729

[100](template)
callerid=phone100<100>
username=100
secret=password

[500](template)
callerid=phone200<500>
username=500
secret=password

----------------
Method: REGISTER
----------------
Valid and Invalid user:
Response: Timed out

----------------
Method: INVITE
----------------
Invalid user:
Response: 'SIP/2.0 407 Proxy Authentication Required\r\nVia: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK-2943238028;received=192.168.1.250;rport=63772\r\nFrom: "101"<sip:101@192.168.1.1>; tag=3130310132353237333535383832\r\nTo: "101"<sip:101@192.168.1.1>;tag=as7e9ffcb3\r\nCall-ID: 777784064\r\nCSeq: 1 INVITE\r\nUser-Agent: Asterisk PBX\r\nAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO\r\nSupported: replaces\r\nProxy-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="256bdf28"\r\nContent-Length: 0\r\n\r\n'
WARNING:root:found nothing

Valid user:
Mehod; INVITE
Response: nothing

Francesco Tornieri