Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.0927 Asterisk Project Security Advisory - AST-2015-003 10 April 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Asterisk Publisher: Digium Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-3008 Original Bulletin: http://downloads.digium.com/pub/security/AST-2015-003.html - --------------------------BEGIN INCLUDED TEXT-------------------- Asterisk Project Security Advisory - AST-2015-003 Product Asterisk Summary TLS Certificate Common name NULL byte exploit Nature of Advisory Man in the Middle Attack Susceptibility Remote Authenticated Sessions Severity Major Exploits Known None Reported On 12 January, 2015 Reported By Maciej Szmigiero Posted On March 04, 2015 Last Updated On April 8, 2015 Advisory Contact Jonathan Rose <jrose AT digium DOT com> CVE Name CVE-2015-3008 Description When Asterisk registers to a SIP TLS device and and verifies the server, Asterisk will accept signed certificates that match a common name other than the one Asterisk is expecting if the signed certificate has a common name containing a null byte after the portion of the common name that Asterisk expected. For example, if Asterisk is trying to register to www.domain.com, Asterisk will accept certificates of the form www.domain.com\x00www.someotherdomain.com - for more information on this exploit, see https://fotisl.com/blog/2009/10/the-null-certificate-prefix-bug/ Resolution Asterisk has been patched to verify that the common name length of the certificate matches the common name that Asterisk actually reads. Asterisk will not accept certificates with common names that contain null bytes. Affected Versions Product Release Series Asterisk Open Source 1.8.x All versions Asterisk Open Source 11.x All versions Asterisk Open Source 12.x All versions Asterisk Open Source 13.x All versions Certified Asterisk 1.8.28 All versions Certified Asterisk 11.6 All versions Certified Asterisk 13.1 All versions Corrected In Product Release Asterisk Open Source 1.8.32.3, 11.17.1, 12.8.2 13.3.2 Certified Asterisk 1.8.28-cert5, 11.6-cert11, 13.1-cert2 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2015-003-1.8.28.diff Certified Asterisk 1.8.28 http://downloads.asterisk.org/pub/security/AST-2015-003-11.6.diff Certified Asterisk 11.6 http://downloads.asterisk.org/pub/security/AST-2015-003-13.1.diff Certified Asterisk 13.1 http://downloads.asterisk.org/pub/security/AST-2015-003-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2015-003-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2015-003-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2015-003-13.diff Asterisk 13 Links https://issues.asterisk.org/jira/browse/ASTERISK-24847 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2015-003.pdf and http://downloads.digium.com/pub/security/AST-2015-003.html Revision History Date Editor Revisions Made 19 March, 2015 Jonathan Rose Initial creation of document 08 April, 2015 Matt Jordan Added CVE. Asterisk Project Security Advisory - AST-2015-003 Copyright (c) 2015 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVSdcAxLndAQH1ShLAQLpZw/+LW7/YzXbG0koNFCZaPhlU5B2lwidCgag lemVsFbAYRVWAkPMgjw6zP/2B+i47og+0p2Te6BjDTE9L19QK872eC7oIgHGvGwJ dAmdXA+cwlUborYLvyzaGrtwrs6/RMNrM2sziPACV4EvNLFqo5UTXKcbz1aLDpQh bM4jUcf9Yc3b+L5bAi2lZw2WZFuz6relaFkuW0QAZm1g+nfeRPkSnu0QWaWMfhG0 IMU/waqRD3VKvTBOg05zB3dggpaUvFC09+cbHA4xZ572IdfyHNZAE7Pbij1BJ/vE O3UX6akzNo3pmLpZoqlj6p8p10+AtaEn2+LgSuFBYoxvT2gP3zjm7glhRE4V91yf NlCho5Vxrp4XDlyY7iBsaHEagbVKhOfYtpb7XeQIpOp4y2M6DVTmpwAV8GJw/RWT EymErelhEGk2YWGZK6aI1Xrz5cr0jSXagChvnSGY18AhqIe2pr9VC9rcayvHnDgy qAPvl6WI55E4jO66VopD9VHCfYN10b5808H/MImZLgRKe5xqLuqjwVWxrG9lktAc zWIaotrRwDbAGlkUG7jbE17OtCDHEQLUIIEhT2p81zuiKwiHgoztNxodZ9irg2Au XhkDHQmeUGm9IyEpSAR3sA9RckI9SvwQB2xfIP5TmI6mSVuxP2mC343EVC4s8ScV YDjaa95rvCw= =ovA/ -----END PGP SIGNATURE-----