Multiple Asterisk products TLS Certificate verification Security Restriction Bypass Vulnerability (CVE-2015-3008)
Multiple Asterisk products TLS Certificate verification Security Restriction Bypass Vulnerability (CVE-2015-3008)
Release date:
Updated on:
Affected Systems:
Asterisk Open Source <1.8.32.3
Asterisk Open Source 13.x
Asterisk Open Source 12.x
Asterisk Open Source 11.x
Description:
Bugtraq id: 74022
CVE (CAN) ID: CVE-2015-3008
Asterisk is a free and open-source software that enables the Telephone User Switch (PBX) function.
When Asterisk Open Source registers a sip tls device, it incorrectly processes the NULL bytes in the domain name of the CN field of the X.509 Certificate topic. A man-in-the-middle attacker can exploit this vulnerability to cheat any SSL server by constructing a certificate.
<* Source: Maciej Szmigiero
*>
Suggestion:
Vendor patch:
Asterisk
--------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://downloads.asterisk.org/pub/security/AST-2015-003.html
This article permanently updates the link address: