Asterisk Security Team
2015-Apr-08 21:20 UTC
[asterisk-users] AST-2015-003: TLS Certificate Common name NULL byte exploit
Asterisk Project Security Advisory - AST-2015-003 Product Asterisk Summary TLS Certificate Common name NULL byte exploit Nature of Advisory Man in the Middle Attack Susceptibility Remote Authenticated Sessions Severity Major Exploits Known None Reported On 12 January, 2015 Reported By Maciej Szmigiero Posted On March 04, 2015 Last Updated On April 8, 2015 Advisory Contact Jonathan Rose <jrose AT digium DOT com> CVE Name CVE-2015-3008 Description When Asterisk registers to a SIP TLS device and and verifies the server, Asterisk will accept signed certificates that match a common name other than the one Asterisk is expecting if the signed certificate has a common name containing a null byte after the portion of the common name that Asterisk expected. For example, if Asterisk is trying to register to www.domain.com, Asterisk will accept certificates of the form www.domain.com\x00www.someotherdomain.com - for more information on this exploit, see https://fotisl.com/blog/2009/10/the-null-certificate-prefix-bug/ Resolution Asterisk has been patched to verify that the common name length of the certificate matches the common name that Asterisk actually reads. Asterisk will not accept certificates with common names that contain null bytes. Affected Versions Product Release Series Asterisk Open Source 1.8.x All versions Asterisk Open Source 11.x All versions Asterisk Open Source 12.x All versions Asterisk Open Source 13.x All versions Certified Asterisk 1.8.28 All versions Certified Asterisk 11.6 All versions Certified Asterisk 13.1 All versions Corrected In Product Release Asterisk Open Source 1.8.32.3, 11.17.1, 12.8.2 13.3.2 Certified Asterisk 1.8.28-cert5, 11.6-cert11, 13.1-cert2 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2015-003-1.8.28.diff Certified Asterisk 1.8.28 http://downloads.asterisk.org/pub/security/AST-2015-003-11.6.diff Certified Asterisk 11.6 http://downloads.asterisk.org/pub/security/AST-2015-003-13.1.diff Certified Asterisk 13.1 http://downloads.asterisk.org/pub/security/AST-2015-003-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2015-003-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2015-003-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2015-003-13.diff Asterisk 13 Links https://issues.asterisk.org/jira/browse/ASTERISK-24847 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2015-003.pdf and http://downloads.digium.com/pub/security/AST-2015-003.html Revision History Date Editor Revisions Made 19 March, 2015 Jonathan Rose Initial creation of document 08 April, 2015 Matt Jordan Added CVE. Asterisk Project Security Advisory - AST-2015-003 Copyright (c) 2015 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
Possibly Parallel Threads
- AST-2015-003: TLS Certificate Common name NULL byte exploit
- Asterisk 1.8.28-cert5, 1.8.32.3, 11.6-cert11, 11.17.1, 12.8.2, 13.1-cert2, 13.3.2 Now Available (Security Release)
- Asterisk 1.8.28-cert5, 1.8.32.3, 11.6-cert11, 11.17.1, 12.8.2, 13.1-cert2, 13.3.2 Now Available (Security Release)
- AST-2016-003: Remote crash vulnerability when receiving UDPTL FAX data.
- AST-2016-002: File descriptor exhaustion in chan_sip