[asterisk-bugs] [JIRA] (ASTERISK-24972) Transport Layer Security (TLS) Protocol CRIME Vulnerability

Alex A. Welzl (JIRA) noreply at issues.asterisk.org
Fri Apr 17 05:12:32 CDT 2015

Previous message: [asterisk-bugs] [JIRA] (ASTERISK-24972) Transport Layer Security (TLS) Protocol CRIME Vulnerability
Next message: [asterisk-bugs] [JIRA] (ASTERISK-24517) TLS support for Solaris, Ming and non-glibc Linux systems
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

     [ https://issues.asterisk.org/jira/browse/ASTERISK-24972?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Alex A. Welzl updated ASTERISK-24972:
-------------------------------------

    Description: 
According to the security scan, the built-in Webserver seems to be vulnerable.
There are no settings to enable/disable anything beside ciphers.

tlsclientmethod=tlsv1
tlscipher=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5

Only solution seems to be to put a NGIX proxy in front of the Asterisk (e.g. http://nginx.com/blog/websocket-nginx/)

Nessus and Acunetix discovered following Medium vulnerability, please investigate if SSL / TLS compression can be disabled.

Description
The remote service has one of two configurations that are known to be required for the CRIME attack :

	SSL / TLS compression is enabled. 
	TLS advertises the SPDY protocol earlier than version 4. 

Note that Nessus did not attempt to launch the CRIME attack against the remote service.

Solution
Disable compression and / or the SPDY service.

See Also
http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091
https://discussions.nessus.org/thread/5546
http://www.nessus.org/u?8ec18eb5
https://issues.apache.org/bugzilla/show_bug.cgi?id=53219

Output
The following configuration indicates that the remote service
may be vulnerable to the CRIME attack :
- SSL / TLS compression is enabled.
Host: X.X.X.130
Port: 8089 / tcp / www


  was:
According to the security scan, the built-in Webserver seems to be vulnerable.
There are no settings to enable/disable anything beside ciphers.

tlscipher=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5

Only solution seems to be to put a NGIX proxy in front of the Asterisk (e.g. http://nginx.com/blog/websocket-nginx/)

Nessus and Acunetix discovered following Medium vulnerability, please investigate if SSL / TLS compression can be disabled.

Description
The remote service has one of two configurations that are known to be required for the CRIME attack :

	SSL / TLS compression is enabled. 
	TLS advertises the SPDY protocol earlier than version 4. 

Note that Nessus did not attempt to launch the CRIME attack against the remote service.

Solution
Disable compression and / or the SPDY service.

See Also
http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091
https://discussions.nessus.org/thread/5546
http://www.nessus.org/u?8ec18eb5
https://issues.apache.org/bugzilla/show_bug.cgi?id=53219

Output
The following configuration indicates that the remote service
may be vulnerable to the CRIME attack :
- SSL / TLS compression is enabled.
Host: X.X.X.130
Port: 8089 / tcp / www



> Transport Layer Security (TLS) Protocol CRIME Vulnerability
> -----------------------------------------------------------
>
>                 Key: ASTERISK-24972
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24972
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_http_websocket
>    Affects Versions: 13.2.0
>            Reporter: Alex A. Welzl
>
> According to the security scan, the built-in Webserver seems to be vulnerable.
> There are no settings to enable/disable anything beside ciphers.
> tlsclientmethod=tlsv1
> tlscipher=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5
> Only solution seems to be to put a NGIX proxy in front of the Asterisk (e.g. http://nginx.com/blog/websocket-nginx/)
> Nessus and Acunetix discovered following Medium vulnerability, please investigate if SSL / TLS compression can be disabled.
> Description
> The remote service has one of two configurations that are known to be required for the CRIME attack :
> 	SSL / TLS compression is enabled. 
> 	TLS advertises the SPDY protocol earlier than version 4. 
> Note that Nessus did not attempt to launch the CRIME attack against the remote service.
> Solution
> Disable compression and / or the SPDY service.
> See Also
> http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091
> https://discussions.nessus.org/thread/5546
> http://www.nessus.org/u?8ec18eb5
> https://issues.apache.org/bugzilla/show_bug.cgi?id=53219
> Output
> The following configuration indicates that the remote service
> may be vulnerable to the CRIME attack :
> - SSL / TLS compression is enabled.
> Host: X.X.X.130
> Port: 8089 / tcp / www



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Previous message: [asterisk-bugs] [JIRA] (ASTERISK-24972) Transport Layer Security (TLS) Protocol CRIME Vulnerability
Next message: [asterisk-bugs] [JIRA] (ASTERISK-24517) TLS support for Solaris, Ming and non-glibc Linux systems
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the asterisk-bugs mailing list