what you don't know can hurt you

Asterisk Project Security Advisory - AST-2014-011

Asterisk Project Security Advisory - AST-2014-011
Posted Oct 21, 2014
Authored by Matt Jordan | Site asterisk.org

Asterisk Project Security Advisory - Asterisk suffered from the SSL POODLE vulnerability.

tags | advisory
advisories | CVE-2014-3566
MD5 | a170a03fa9b649c31b8476187a9185fb

Asterisk Project Security Advisory - AST-2014-011

Change Mirror Download
               Asterisk Project Security Advisory - AST-2014-011

Product Asterisk
Summary Asterisk Susceptibility to POODLE Vulnerability
Nature of Advisory Unauthorized Data Disclosure
Susceptibility Remote Unauthenticated Sessions
Severity Medium
Exploits Known No
Reported On 16 October 2014
Reported By abelbeck
Posted On 20 October 2014
Last Updated On October 20, 2014
Advisory Contact Matt Jordan <mjordan AT digium DOT com>
CVE Name CVE-2014-3566

Description The POODLE vulnerability - described under CVE-2014-3566 - is
described at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566.
This advisory describes the Asterisk's project susceptibility
to this vulnerability.

The POODLE vulnerability consists of two issues:

1) A vulnerability in the SSL protocol version 3.0. This
vulnerability has no known solution.

2) The ability to force a fallback to SSLv3 when a TLS
connection is negotiated.

Asterisk is susceptible to both portions of the vulnerability
in different places.

1) The res_jabber and res_xmpp module both use SSLv3
exclusively, and are hence susceptible to POODLE.

2) The core TLS handling, used by the chan_sip channel driver,
Asterisk Manager Interface (AMI), and the Asterisk HTTP
server, defaults to allowing SSLv3/SSLv2 fallback. This allows
a MITM to potentially force a connection to fallback to SSLv3,
exposing it to the POODLE vulnerability.

Resolution Asterisk has been patched such that it no longer uses SSLv3
for the res_jabber/res_xmpp modules. Additionally, when the
encryption method is not specified, the default handling in
the TLS core no longer allows for a fallback to SSLv3 or
SSLv2.

1) Users of Asterisk's res_jabber or res_xmpp modules should
upgrade to the versions of Asterisk specified in this
advisory.

2) Users of Asterisk's chan_sip channel driver, AMI, and
HTTP server may set the "tlsclientmethod" or
"sslclientmethod" to "tlsv1" to force TLSv1 as the only
allowed encryption method. Alternatively, they may also
upgrade to the versions of Asterisk specified in this
advisory. Users of Asterisk are encouraged to NOT specify
"sslv2" or "sslv3". Doing so will now emit a WARNING.

Affected Versions
Product Release
Series
Asterisk Open Source 1.8.x All versions
Asterisk Open Source 11.x All versions
Asterisk Open Source 12.x All versions
Certified Asterisk 1.8.28 All versions
Certified Asterisk 11.6 All versions

Corrected In
Product Release
Asterisk Open Source 1.8.31.1, 11.13.1, 12.6.1
Certified Asterisk 1.8.28-cert2, 11.6-cert7

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2014-011-1.8.diff Asterisk
1.8
http://downloads.asterisk.org/pub/security/AST-2014-011-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2014-011-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2014-011-1.8.28.diff Certified
Asterisk
1.8.28
http://downloads.asterisk.org/pub/security/AST-2014-011-11.6.diff Certified
Asterisk
11.6

Links https://issues.asterisk.org/jira/browse/ASTERISK-24425

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2014-011.pdf and
http://downloads.digium.com/pub/security/AST-2014-011.html

Revision History
Date Editor Revisions Made
October 19 Matt Jordan Initial Revision

Asterisk Project Security Advisory - AST-2014-011
Copyright (c) 2014 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Login or Register to add favorites

File Archive:

April 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    17 Files
  • 2
    Apr 2nd
    2 Files
  • 3
    Apr 3rd
    2 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    15 Files
  • 7
    Apr 7th
    20 Files
  • 8
    Apr 8th
    16 Files
  • 9
    Apr 9th
    5 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close