[asterisk-security] AST-2014-011: Asterisk Susceptibility to POODLE Vulnerability
Asterisk Security Team
security at asterisk.org
Mon Oct 20 11:41:48 CDT 2014
Asterisk Project Security Advisory - AST-2014-011
Product Asterisk
Summary Asterisk Susceptibility to POODLE Vulnerability
Nature of Advisory Unauthorized Data Disclosure
Susceptibility Remote Unauthenticated Sessions
Severity Medium
Exploits Known No
Reported On 16 October 2014
Reported By abelbeck
Posted On 20 October 2014
Last Updated On October 20, 2014
Advisory Contact Matt Jordan <mjordan AT digium DOT com>
CVE Name CVE-2014-3566
Description The POODLE vulnerability - described under CVE-2014-3566 - is
described at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566.
This advisory describes the Asterisk's project susceptibility
to this vulnerability.
The POODLE vulnerability consists of two issues:
1) A vulnerability in the SSL protocol version 3.0. This
vulnerability has no known solution.
2) The ability to force a fallback to SSLv3 when a TLS
connection is negotiated.
Asterisk is susceptible to both portions of the vulnerability
in different places.
1) The res_jabber and res_xmpp module both use SSLv3
exclusively, and are hence susceptible to POODLE.
2) The core TLS handling, used by the chan_sip channel driver,
Asterisk Manager Interface (AMI), and the Asterisk HTTP
server, defaults to allowing SSLv3/SSLv2 fallback. This allows
a MITM to potentially force a connection to fallback to SSLv3,
exposing it to the POODLE vulnerability.
Resolution Asterisk has been patched such that it no longer uses SSLv3
for the res_jabber/res_xmpp modules. Additionally, when the
encryption method is not specified, the default handling in
the TLS core no longer allows for a fallback to SSLv3 or
SSLv2.
1) Users of Asterisk's res_jabber or res_xmpp modules should
upgrade to the versions of Asterisk specified in this
advisory.
2) Users of Asterisk's chan_sip channel driver, AMI, and
HTTP server may set the "tlsclientmethod" or
"sslclientmethod" to "tlsv1" to force TLSv1 as the only
allowed encryption method. Alternatively, they may also
upgrade to the versions of Asterisk specified in this
advisory. Users of Asterisk are encouraged to NOT specify
"sslv2" or "sslv3". Doing so will now emit a WARNING.
Affected Versions
Product Release
Series
Asterisk Open Source 1.8.x All versions
Asterisk Open Source 11.x All versions
Asterisk Open Source 12.x All versions
Certified Asterisk 1.8.28 All versions
Certified Asterisk 11.6 All versions
Corrected In
Product Release
Asterisk Open Source 1.8.31.1, 11.13.1, 12.6.1
Certified Asterisk 1.8.28-cert2, 11.6-cert7
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2014-011-1.8.diff Asterisk
1.8
http://downloads.asterisk.org/pub/security/AST-2014-011-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2014-011-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2014-011-1.8.28.diff Certified
Asterisk
1.8.28
http://downloads.asterisk.org/pub/security/AST-2014-011-11.6.diff Certified
Asterisk
11.6
Links https://issues.asterisk.org/jira/browse/ASTERISK-24425
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2014-011.pdf and
http://downloads.digium.com/pub/security/AST-2014-011.html
Revision History
Date Editor Revisions Made
October 19 Matt Jordan Initial Revision
Asterisk Project Security Advisory - AST-2014-011
Copyright (c) 2014 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
More information about the asterisk-security
mailing list