Bug 15674

Summary: asterisk new security issue CVE-2015-3008
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: oe, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/640414/
Whiteboard: has_procedure advisory mga4-64-ok
Source RPM: asterisk-11.14.2-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-04-10 17:01:54 CEST 
Upstream has issued an advisory on March 4:
http://downloads.asterisk.org/pub/security/AST-2015-003.html

The issue is fixed in 11.17.1.

This update will also address this upstream advisory:
http://downloads.asterisk.org/pub/security/AST-2015-002.html

However, that is not a vulnerability for us as we have fixed curl already.

Oden has committed the update in Mageia 4 and Cauldron SVN.  Freeze push pending.

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2015-04-10 17:07:52 CEST 
======================================================
Name: CVE-2015-3008
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3008
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20150408
Category: 
Reference: BUGTRAQ:20150408 AST-2015-003: TLS Certificate Common name NULL byte exploit
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/535222/100/0/threaded
Reference: FULLDISC:20150408 AST-2015-003: TLS Certificate Common name NULL byte exploit
Reference: URL:http://seclists.org/fulldisclosure/2015/Apr/22
Reference: MISC:http://packetstormsecurity.com/files/131364/Asterisk-Project-Security-Advisory-AST-2015-003.html
Reference: CONFIRM:http://downloads.asterisk.org/pub/security/AST-2015-003.html
Reference: SECTRACK:1032052
Reference: URL:http://www.securitytracker.com/id/1032052

Asterisk Open Source 1.8 before 1.8.32.3, 11.x before 11.17.1, 12.x
before 12.8.2, and 13.x before 13.3.2 and Certified Asterisk 1.8.28
before 1.8.28-cert5, 11.6 before 11.6-cert11, and 13.1 before
13.1-cert2, when registering a SIP TLS device, does not properly
handle a null byte in a domain name in the subject's Common Name (CN)
field of an X.509 certificate, which allows man-in-the-middle
attackers to spoof arbitrary SSL servers via a crafted certificate
issued by a legitimate Certification Authority.

CC: (none) => oe

Comment 2 David Walser 2015-04-10 17:12:13 CEST 
Information for this update once it's pushed in Cauldron.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=11094#c5

Advisory:
========================

Updated asterisk packages fix security vulnerability:

When Asterisk registers to a SIP TLS device and and verifies the server,
Asterisk will accept signed certificates that match a common name other than
the one Asterisk is expecting if the signed certificate has a common name
containing a null byte after the portion of the common name that Asterisk
expected (CVE-2015-3008).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3008
http://downloads.asterisk.org/pub/security/AST-2015-003.html
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.17.1
http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11.17.1-summary.html
========================

Updated packages in core/updates_testing:
========================
asterisk-11.17.1-1.mga4
libasteriskssl1-11.17.1-1.mga4
asterisk-addons-11.17.1-1.mga4
asterisk-firmware-11.17.1-1.mga4
asterisk-devel-11.17.1-1.mga4
asterisk-plugins-corosync-11.17.1-1.mga4
asterisk-plugins-alsa-11.17.1-1.mga4
asterisk-plugins-calendar-11.17.1-1.mga4
asterisk-plugins-cel-11.17.1-1.mga4
asterisk-plugins-curl-11.17.1-1.mga4
asterisk-plugins-dahdi-11.17.1-1.mga4
asterisk-plugins-fax-11.17.1-1.mga4
asterisk-plugins-festival-11.17.1-1.mga4
asterisk-plugins-ices-11.17.1-1.mga4
asterisk-plugins-jabber-11.17.1-1.mga4
asterisk-plugins-jack-11.17.1-1.mga4
asterisk-plugins-lua-11.17.1-1.mga4
asterisk-plugins-ldap-11.17.1-1.mga4
asterisk-plugins-minivm-11.17.1-1.mga4
asterisk-plugins-mobile-11.17.1-1.mga4
asterisk-plugins-mp3-11.17.1-1.mga4
asterisk-plugins-mysql-11.17.1-1.mga4
asterisk-plugins-ooh323-11.17.1-1.mga4
asterisk-plugins-oss-11.17.1-1.mga4
asterisk-plugins-pktccops-11.17.1-1.mga4
asterisk-plugins-portaudio-11.17.1-1.mga4
asterisk-plugins-pgsql-11.17.1-1.mga4
asterisk-plugins-radius-11.17.1-1.mga4
asterisk-plugins-saycountpl-11.17.1-1.mga4
asterisk-plugins-skinny-11.17.1-1.mga4
asterisk-plugins-snmp-11.17.1-1.mga4
asterisk-plugins-speex-11.17.1-1.mga4
asterisk-plugins-sqlite-11.17.1-1.mga4
asterisk-plugins-tds-11.17.1-1.mga4
asterisk-plugins-osp-11.17.1-1.mga4
asterisk-plugins-unistim-11.17.1-1.mga4
asterisk-plugins-voicemail-11.17.1-1.mga4
asterisk-plugins-voicemail-imap-11.17.1-1.mga4
asterisk-plugins-voicemail-plain-11.17.1-1.mga4
asterisk-gui-11.17.1-1.mga4

from asterisk-11.17.1-1.mga4.src.rpm
David Walser 2015-04-10 17:12:23 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 3 David Walser 2015-04-13 23:00:49 CEST 
Finally pushed in Cauldron.  Assigning to QA.

See Comment 2 for all of the details.

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => has_procedure

Comment 4 claire robinson 2015-04-14 14:33:43 CEST 
Testing complete mga4 64

tested as per https://bugs.mageia.org/show_bug.cgi?id=11094#c5

Whiteboard: has_procedure => has_procedure mga4-64-ok

Comment 5 claire robinson 2015-04-14 17:22:39 CEST 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-64-ok => has_procedure advisory mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-04-15 11:02:32 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0153.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-04-15 18:47:53 CEST

URL: (none) => http://lwn.net/Vulnerabilities/640414/