When endpoint specific ACL rules block a SIP request they respond with a 403 forbidden. However, if an endpoint is not identified then a 401 unauthorized response is sent. This vulnerability just discloses which requests hit a defined endpoint. The ACL rules cannot be bypassed to gain access to the disclosed endpoints.
Created asterisk tracking bugs for this issue:
Affects: epel-6 [bug 1590212]
Affects: fedora-all [bug 1590213]