Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.1891
Asterisk Project Security Advisory - AST-2014-011
21 October 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Asterisk
Publisher: Digium
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2014-3566
Reference: ASB-2014.0122
ESB-2014.1879
ESB-2014.1878
ESB-2014.1877
ESB-2014.1872
ESB-2014.1871
ESB-2014.1869
ESB-2014.1868.2
ESB-2014.1863
ESB-2014.1860
ESB-2014.1859
ESB-2014.1858
ESB-2014.1857
ESB-2014.1849
Original Bulletin:
http://downloads.digium.com/pub/security/AST-2014-011.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Asterisk Project Security Advisory - AST-2014-011
Product Asterisk
Summary Asterisk Susceptibility to POODLE Vulnerability
Nature of Advisory Unauthorized Data Disclosure
Susceptibility Remote Unauthenticated Sessions
Severity Medium
Exploits Known No
Reported On 16 October 2014
Reported By abelbeck
Posted On 20 October 2014
Last Updated On October 20, 2014
Advisory Contact Matt Jordan <mjordan AT digium DOT com>
CVE Name CVE-2014-3566
Description The POODLE vulnerability - described under CVE-2014-3566 - is
described at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566.
This advisory describes the Asterisk's project susceptibility
to this vulnerability.
The POODLE vulnerability consists of two issues:
1) A vulnerability in the SSL protocol version 3.0. This
vulnerability has no known solution.
2) The ability to force a fallback to SSLv3 when a TLS
connection is negotiated.
Asterisk is susceptible to both portions of the vulnerability
in different places.
1) The res_jabber and res_xmpp module both use SSLv3
exclusively, and are hence susceptible to POODLE.
2) The core TLS handling, used by the chan_sip channel driver,
Asterisk Manager Interface (AMI), and the Asterisk HTTP
server, defaults to allowing SSLv3/SSLv2 fallback. This allows
a MITM to potentially force a connection to fallback to SSLv3,
exposing it to the POODLE vulnerability.
Resolution Asterisk has been patched such that it no longer uses SSLv3
for the res_jabber/res_xmpp modules. Additionally, when the
encryption method is not specified, the default handling in
the TLS core no longer allows for a fallback to SSLv3 or
SSLv2.
1) Users of Asterisk's res_jabber or res_xmpp modules should
upgrade to the versions of Asterisk specified in this
advisory.
2) Users of Asterisk's chan_sip channel driver, AMI, and
HTTP server may set the "tlsclientmethod" or
"sslclientmethod" to "tlsv1" to force TLSv1 as the only
allowed encryption method. Alternatively, they may also
upgrade to the versions of Asterisk specified in this
advisory. Users of Asterisk are encouraged to NOT specify
"sslv2" or "sslv3". Doing so will now emit a WARNING.
Affected Versions
Product Release
Series
Asterisk Open Source 1.8.x All versions
Asterisk Open Source 11.x All versions
Asterisk Open Source 12.x All versions
Certified Asterisk 1.8.28 All versions
Certified Asterisk 11.6 All versions
Corrected In
Product Release
Asterisk Open Source 1.8.31.1, 11.13.1, 12.6.1
Certified Asterisk 1.8.28-cert2, 11.6-cert7
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2014-011-1.8.diff Asterisk
1.8
http://downloads.asterisk.org/pub/security/AST-2014-011-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2014-011-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2014-011-1.8.28.diff Certified
Asterisk
1.8.28
http://downloads.asterisk.org/pub/security/AST-2014-011-11.6.diff Certified
Asterisk
11.6
Links https://issues.asterisk.org/jira/browse/ASTERISK-24425
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2014-011.pdf and
http://downloads.digium.com/pub/security/AST-2014-011.html
Revision History
Date Editor Revisions Made
October 19 Matt Jordan Initial Revision
Asterisk Project Security Advisory - AST-2014-011
Copyright (c) 2014 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVEW2XRLndAQH1ShLAQK24BAAs1zHs+EBD9jvrYSMhDHiYZ1hPDcVfP8d
s4Z84CTcBvRpg2vWek6x5RReLDmPXLF7Odnt/XozQW1dmLGwMxzQ9TnzRPdjc5V9
GsGMv2N08Y3DXbpKyBg0ik7gZ2ox4SyroAgaqDGRwB3UdsV8/6dU4IoGUF6U3Enh
CQ3B6nZ/pM1blVNFSBaWoioQvb5Nmt+kK3uO9T38jGU77axDI5UaHCrmiIGRNF+6
oKlA2QSQ+T8QToLT3aqWXl0IGN7gSeQq5eHGG6M/9kMtgJ9PtXzO9VJNga4kk/TZ
wgwoKLpyuQgRM/e8yxsX16Bb84Bln6a/3+82FhdM7eqht18q8v7cwLLuQOUBcL68
JpdaGnk+6ZkW6gq8vlItn0IDszFtXzWnNj8Ul6VhygswNS8cd27HeNBCoHWATRMq
4rdTIhLf7mSdMUL8L9zME3MmppcuJcxRxI+EcgE9+njUQYKxd9pJGl/vsFEmMunK
uQxX+POyG9UrHyu4NllyDzZ9H6D712PMPbTIIQzv/GB+h0qvJOkTLlDdQzdkACmb
guewy5n0mN7UMgSorn4YL7ixThC9VwYlFjPPPsez8oFAMGA2ROoJHlSTvdcAjMpf
z/pZxflaCTYm6sYEaXLNxaifggOkjawyhSQ95ayaJUlQ9WVxKj8arohLffRif14b
8+4+SOg+bnE=
=au3K
-----END PGP SIGNATURE-----