Sponsor: VoiceMeUp - Corporate & Wholesale VoIP Services

VoIP Mailing List Archives
Mailing list archives for the VoIP community
 SearchSearch 

[asterisk-users] /home/putnopvut/asa/AST-2008-007/AST-2008-007: AST-2008-007 Cryptographic keys generated by OpenSSL on


 
Post new topic   Reply to topic    VoIP Mailing List Archives Forum Index -> Asterisk Users
View previous topic :: View next topic  
Author Message
security at asterisk.org
Guest
PostPosted: Thu May 22, 2008 9:54 am    Post subject: [asterisk-users] /home/putnopvut/asa/AST-2008-007/AST-2008-0 Reply with quote
Asterisk Project Security Advisory - AST-2008-007

+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | Asterisk installations using cryptographic keys |
| | generated by Debian-based systems may be using a |
| | vulnerable implementation of OpenSSL |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Compromised cryptographic keys |
|--------------------+---------------------------------------------------|
| Susceptibility | Users of RSA for IAX2 authentication and users of |
| | DUNDi |
|--------------------+---------------------------------------------------|
| Severity | Critical |
|--------------------+---------------------------------------------------|
| Exploits Known | None specific to Asterisk, but OpenSSL exploits |
| | are circulating |
|--------------------+---------------------------------------------------|
| Reported On | 13 May 2008 |
|--------------------+---------------------------------------------------|
| Reported By | Luciano Bello |
|--------------------+---------------------------------------------------|
| Posted On | May 16, 2008 |
|--------------------+---------------------------------------------------|
| Last Updated On | May 22, 2008 |
|--------------------+---------------------------------------------------|
| Advisory Contact | Mark Michelson < mmichelson AT digium DOT com > |
|--------------------+---------------------------------------------------|
| CVE Name | CVE-2008-0166 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Description | The Debian team recently announced that cryptographic |
| | keys generated by their OpenSSL package were created |
| | using a random number generator with predictable |
| | results. This affects Debian's stable and unstable |
| | distributions, as well as Debian-derived systems such as |
| | Ubuntu. See the links in the "Links" session of this |
| | advisory for more information about the vulnerability. |
| | |
| | Asterisk is not directly affected by this vulnerability; |
| | however, Asterisk's 'astgenkey' script uses OpenSSL in |
| | order to generate cryptographic keys. Therefore, |
| | Asterisk users who use RSA for authentication of IAX2 |
| | calls and who use DUNDi may be using compromised keys. |
| | This vulnerability affects any such installation whose |
| | cryptographic keys were generated on a Debian-based |
| | system, even if the Asterisk installation itself is not |
| | on a Debian-based system. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Resolution | Since this is not a vulnerability in Asterisk itself but |
| | in a tool that Asterisk uses, there will be no new |
| | releases made; however, users who are affected by the |
| | Debian OpenSSL vulnerability are strongly encouraged to |
| | upgrade their package of OpenSSL to an uncompromised |
| | version (version 0.9.8c-4 or later) and regenerate all |
| | keys used by Asterisk. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|-----------------------------------+----------------+-------------------|
| Asterisk Open Source | 1.0.x | N/A |
|-----------------------------------+----------------+-------------------|
| Asterisk Open Source | 1.2.x | N/A |
|-----------------------------------+----------------+-------------------|
| Asterisk Open Source | 1.4.x | N/A |
|-----------------------------------+----------------+-------------------|
| Asterisk Business Edition | A.x.x | N/A |
|-----------------------------------+----------------+-------------------|
| Asterisk Business Edition | B.x.x | N/A |
|-----------------------------------+----------------+-------------------|
| Asterisk Business Edition | C.x.x | N/A |
|-----------------------------------+----------------+-------------------|
| AsteriskNOW | pre-release | N/A |
|-----------------------------------+----------------+-------------------|
| Asterisk Appliance Developer Kit | 0.x.x | N/A |
|-----------------------------------+----------------+-------------------|
| s800i (Asterisk Appliance) | 1.0.x | N/A |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|------------------------------------+-----------------------------------|
| N/A | N/A |
|------------------------------------+-----------------------------------|
|------------------------------------+-----------------------------------|
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Links | http://www.debian.org/security/2008/dsa-1571 |
| | |
| | http://wiki.debian.org/SSLkeys |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2008-007.pdf and |
| http://downloads.digium.com/pub/security/AST-2008-007.html |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|-------------------+----------------------+-----------------------------|
| May 15, 2008 | Mark Michelson | Initial advisory |
+------------------------------------------------------------------------+

Asterisk Project Security Advisory - AST-2008-007
Copyright (c) 2008 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Back to top
Display posts from previous:   
Post new topic   Reply to topic    VoIP Mailing List Archives Forum Index -> Asterisk Users All times are GMT - 5 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

VoiceMeUp - Corporate & Wholesale VoIP Services