[asterisk-bugs] [JIRA] (ASTERISK-24972) Transport Layer Security (TLS) Protocol BEAST Vulnerability - Investigate vulnerability of HTTP server

Matt Jordan (JIRA) noreply at issues.asterisk.org
Wed Feb 3 19:46:33 CST 2016


     [ https://issues.asterisk.org/jira/browse/ASTERISK-24972?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Matt Jordan updated ASTERISK-24972:
-----------------------------------

    Security:     (was: Reporter, Bug Marshals, and Digium)

> Transport Layer Security (TLS) Protocol BEAST Vulnerability - Investigate vulnerability of HTTP server
> ------------------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-24972
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24972
>             Project: Asterisk
>          Issue Type: Bug
>          Components: Resources/res_http_websocket
>    Affects Versions: 13.2.0
>            Reporter: Alex A. Welzl
>            Assignee: Joshua Colp
>      Target Release: 11.21.1, 13.7.1
>
>
> [Edit by Rusty - We don't appear to be vulnerable to CRIME, but should investigate vulnerability to BEAST]
> According to the security scan, the built-in Webserver seems to be vulnerable.
> There are no settings to enable/disable anything beside ciphers.
> tlsclientmethod=tlsv1
> tlscipher=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5
> Only solution seems to be to put a NGIX proxy in front of the Asterisk (e.g. http://nginx.com/blog/websocket-nginx/)
> Nessus and Acunetix discovered following Medium vulnerability, please investigate if SSL / TLS compression can be disabled.
> Description
> The remote service has one of two configurations that are known to be required for the CRIME attack :
> 	SSL / TLS compression is enabled. 
> 	TLS advertises the SPDY protocol earlier than version 4. 
> Note that Nessus did not attempt to launch the CRIME attack against the remote service.
> Solution
> Disable compression and / or the SPDY service.
> See Also
> http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091
> https://discussions.nessus.org/thread/5546
> http://www.nessus.org/u?8ec18eb5
> https://issues.apache.org/bugzilla/show_bug.cgi?id=53219
> Output
> The following configuration indicates that the remote service
> may be vulnerable to the CRIME attack :
> - SSL / TLS compression is enabled.
> Host: X.X.X.130
> Port: 8089 / tcp / www



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list