Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 546040 (CVE-2015-3008)

Summary: net-misc/asterisk-11.17.1: TLS Certificate Common name NULL byte exploit (CVE-2015-3008)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://downloads.asterisk.org/pub/security/AST-2015-003.html
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-04-09 09:56:38 UTC
From ${URL} :

When Asterisk registers to a SIP TLS device and and verifies the server, Asterisk will accept 
signed certificates that match a common name other than the one Asterisk is expecting if the signed 
certificate has a common name containing a null byte after the portion of the common name that 
Asterisk expected. For example, if Asterisk is trying to register to www.domain.com, Asterisk will 
accept certificates of the form www.domain.com\x00www.someotherdomain.com – for more information on 
this exploit, see https://fotisl.com/blog/2009/10/the-null-certificate-prefix-bug/

fixed in:
1.8.32.3, 11.17.1, 12.8.2 13.3.2


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-04-11 18:06:35 UTC
CVE-2015-3008 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3008):
  Asterisk Open Source 1.8 before 1.8.32.3, 11.x before 11.17.1, 12.x before
  12.8.2, and 13.x before 13.3.2 and Certified Asterisk 1.8.28 before
  1.8.28-cert5, 11.6 before 11.6-cert11, and 13.1 before 13.1-cert2, when
  registering a SIP TLS device, does not properly handle a null byte in a
  domain name in the subject's Common Name (CN) field of an X.509 certificate,
  which allows man-in-the-middle attackers to spoof arbitrary SSL servers via
  a crafted certificate issued by a legitimate Certification Authority.
Comment 2 Tony Vroon (RETIRED) gentoo-dev 2015-04-13 12:33:55 UTC
+*asterisk-13.3.2 (13 Apr 2015)
+*asterisk-12.8.2 (13 Apr 2015)
+*asterisk-11.17.1 (13 Apr 2015)
+
+  13 Apr 2015; Tony Vroon <chainsaw@gentoo.org> -asterisk-11.16.0.ebuild,
+  +asterisk-11.17.1.ebuild, -asterisk-12.8.1.ebuild, +asterisk-12.8.2.ebuild,
+  -asterisk-13.1.1.ebuild, -asterisk-13.2.0.ebuild, +asterisk-13.3.2.ebuild:
+  Upgrades on branches 11, 12 & 13 to address a null-byte exploit in TLS
+  certificate CN field verification (CVE-2015-3008 / AST-2015-003). Removed all
+  vulnerable non-stable ebuilds. For security bug #546040 by Agostino "ago"
+  Sarubbo.

Arches, please test & mark stable:
=net-misc/asterisk-11.17.1

Test plan:
emerge asterisk with USE="samples"
start & stop the daemon three times in sequence
Comment 3 Agostino Sarubbo gentoo-dev 2015-04-14 09:34:49 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-04-17 09:51:11 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-04-17 12:22:47 UTC
GLSA vote: no.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2015-04-19 13:28:24 UTC
GLSA Vote: No

Maintainer(s), please drop the vulnerable version(s).
Comment 7 Tony Vroon (RETIRED) gentoo-dev 2015-04-28 08:31:03 UTC
+  28 Apr 2015; Tony Vroon <chainsaw@gentoo.org> -asterisk-11.15.0-r1.ebuild:
+  Remove vulnerable ebuild, for security bug #546040.

Maintainer work done, CC removed.