Asterisk Open Source 1.8 before 1.8.32.3, 11.x before 11.17.1, 12.x before 12.8.2, and 13.x before 13.3.2 and Certified Asterisk 1.8.28 before 1.8.28-cert5, 11.6 before 11.6-cert11, and 13.1 before 13.1-cert2, when registering a SIP TLS device, does not properly handle a null byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.

Multiple vulnerabilities have been discovered in Asterisk, an open source PBX and telephony toolkit, which may result in denial of service or incorrect certificate validation.

CVE-2014-6610 Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dialplan application.

CVE-2014-4046 Asterisk Open Source 11.x before 11.10.1 and 12.x before 12.3.1 and Certified Asterisk 11.6 before 11.6-cert3 allows remote authenticated Manager users to execute arbitrary shell commands via a MixMonitor action.

CVE-2014-2286 main/http.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.x before 1.8.15-cert5 and 11.6 before 11.6-cert2, allows remote attackers to cause a denial of service (stack consumption) and possibly execute arbitrary code via an HTTP request with a large number of Cookie headers.

CVE-2014-8412 The (1) VoIP channel drivers, (2) DUNDi, and (3) Asterisk Manager Interface (AMI) in Asterisk Open Source 1.8.x before 1.8.32.1, 11.x before 11.14.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 1.8.28 before 1.8.28-cert3 and 11.6 before 11.6-cert8 allows remote attackers to bypass the ACL restrictions via a packet with a source IP that does not share the address family as the first ACL entry.

CVE-2014-8418 The DB dialplan function in Asterisk Open Source 1.8.x before 1.8.32, 11.x before 11.1.4.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 1.8 before 1.8.28-cert8 and 11.6 before 11.6-cert8 allows remote authenticated users to gain privileges via a call from an external protocol, as demonstrated by the AMI protocol.

CVE-2015-3008 Asterisk Open Source 1.8 before 1.8.32.3, 11.x before 11.17.1, 12.x before 12.8.2, and 13.x before 13.3.2 and Certified Asterisk 1.8.28 before 1.8.28-cert5, 11.6 before 11.6-cert11, and 13.1 before 13.1-cert2, when registering a SIP TLS device, does not properly handle a null byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.28, 11.6, and 13.1 and Asterisk 1.8, 11, 12, and 13. The available security releases are released as versions 1.8.28.cert-5, 1.8.32.3, 11.6-cert11, 11.17.1, 12.8.2, 13.1-cert2, and 13.3.2.

These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolves the following security vulnerability :

  - AST-2015-003: TLS Certificate Common name NULL byte     exploit

    When Asterisk registers to a SIP TLS device and and     verifies the server, Asterisk will accept signed     certificates that match a common name other than the one     Asterisk is expecting if the signed certificate has a     common name containing a null byte after the portion of     the common name that Asterisk expected. This potentially     allows for a man in the middle attack.

For more information about the details of this vulnerability, please read security advisory AST-2015-003, which was released at the same time as this announcement.

For a full list of changes in the current releases, please see the ChangeLogs :

http://downloads.asterisk.org/pub/telephony/certified-asterisk/release s/ChangeLog-1.8.28-cert5 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-1.8.32.3 http://downloads.asterisk.org/pub/telephony/certified-asterisk/release s/ChangeLog-11.6-cert11 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-11.17.1 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-12.8.2 http://downloads.asterisk.org/pub/telephony/certified-asterisk/release s/ChangeLog-13.1-cert2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-13.3.2

The security advisory is available at :

  -     http://downloads.asterisk.org/pub/security/AST-2015-003.
    pdf

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated asterisk packages fix security vulnerability :

When Asterisk registers to a SIP TLS device and and verifies the server, Asterisk will accept signed certificates that match a common name other than the one Asterisk is expecting if the signed certificate has a common name containing a null byte after the portion of the common name that Asterisk expected (CVE-2015-3008).

According to its SIP banner, the version of Asterisk running on the remote host is potentially affected by flaw related to certificate validation when registering a SIP TLS device due to not properly verifying a server hostname against an X.509 Common Name (CN) field that has a NULL byte appended after the expected results. A man-in-the-middle attacker can exploit this, via a crafted certificate, to spoof arbitrary SSL servers and intercept network traffic.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Asterisk project reports :

When Asterisk registers to a SIP TLS device and and verifies the server, Asterisk will accept signed certificates that match a common name other than the one Asterisk is expecting if the signed certificate has a common name containing a null byte after the portion of the common name that Asterisk expected. For example, if Asterisk is trying to register to www.domain.com, Asterisk will accept certificates of the form www.domain.com\x00www.someotherdomain.com

ID	Name	Product	Family	Severity
94259	Debian DSA-3700-1 : asterisk - security update	Nessus	Debian Local Security Checks	high
90873	Debian DLA-455-1 : asterisk security update	Nessus	Debian Local Security Checks	high
84910	Fedora 22 : asterisk-13.3.2-1.fc22 (2015-5948)	Nessus	Fedora Local Security Checks	medium
83098	Mandriva Linux Security Advisory : asterisk (MDVSA-2015:206)	Nessus	Mandriva Local Security Checks	medium
82901	Asterisk TLS Certificate Common Name NULL Byte Vulnerability (AST-2015-003)	Nessus	Misc.	medium
82650	FreeBSD : asterisk -- TLS Certificate Common name NULL byte exploit (5fee3f02-de37-11e4-b7c3-001999f8d30b)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2015-3008

high

Tenable Plugins

high

high

medium

medium

medium

medium