[VOIPSEC] /home/putnopvut/asa/AST-2008-007/AST-2008-007: AST-2008-007 Cryptographic keys generated by OpenSSL on Debian-based systems compromised
Asterisk Security Team
security at asterisk.org
Thu May 22 09:54:29 CDT 2008
Asterisk Project Security Advisory - AST-2008-007
+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | Asterisk installations using cryptographic keys |
| | generated by Debian-based systems may be using a |
| | vulnerable implementation of OpenSSL |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Compromised cryptographic keys |
|--------------------+---------------------------------------------------|
| Susceptibility | Users of RSA for IAX2 authentication and users of |
| | DUNDi |
|--------------------+---------------------------------------------------|
| Severity | Critical |
|--------------------+---------------------------------------------------|
| Exploits Known | None specific to Asterisk, but OpenSSL exploits |
| | are circulating |
|--------------------+---------------------------------------------------|
| Reported On | 13 May 2008 |
|--------------------+---------------------------------------------------|
| Reported By | Luciano Bello |
|--------------------+---------------------------------------------------|
| Posted On | May 16, 2008 |
|--------------------+---------------------------------------------------|
| Last Updated On | May 22, 2008 |
|--------------------+---------------------------------------------------|
| Advisory Contact | Mark Michelson < mmichelson AT digium DOT com > |
|--------------------+---------------------------------------------------|
| CVE Name | CVE-2008-0166 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | The Debian team recently announced that cryptographic |
| | keys generated by their OpenSSL package were created |
| | using a random number generator with predictable |
| | results. This affects Debian's stable and unstable |
| | distributions, as well as Debian-derived systems such as |
| | Ubuntu. See the links in the "Links" session of this |
| | advisory for more information about the vulnerability. |
| | |
| | Asterisk is not directly affected by this vulnerability; |
| | however, Asterisk's 'astgenkey' script uses OpenSSL in |
| | order to generate cryptographic keys. Therefore, |
| | Asterisk users who use RSA for authentication of IAX2 |
| | calls and who use DUNDi may be using compromised keys. |
| | This vulnerability affects any such installation whose |
| | cryptographic keys were generated on a Debian-based |
| | system, even if the Asterisk installation itself is not |
| | on a Debian-based system. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | Since this is not a vulnerability in Asterisk itself but |
| | in a tool that Asterisk uses, there will be no new |
| | releases made; however, users who are affected by the |
| | Debian OpenSSL vulnerability are strongly encouraged to |
| | upgrade their package of OpenSSL to an uncompromised |
| | version (version 0.9.8c-4 or later) and regenerate all |
| | keys used by Asterisk. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|-----------------------------------+----------------+-------------------|
| Asterisk Open Source | 1.0.x | N/A |
|-----------------------------------+----------------+-------------------|
| Asterisk Open Source | 1.2.x | N/A |
|-----------------------------------+----------------+-------------------|
| Asterisk Open Source | 1.4.x | N/A |
|-----------------------------------+----------------+-------------------|
| Asterisk Business Edition | A.x.x | N/A |
|-----------------------------------+----------------+-------------------|
| Asterisk Business Edition | B.x.x | N/A |
|-----------------------------------+----------------+-------------------|
| Asterisk Business Edition | C.x.x | N/A |
|-----------------------------------+----------------+-------------------|
| AsteriskNOW | pre-release | N/A |
|-----------------------------------+----------------+-------------------|
| Asterisk Appliance Developer Kit | 0.x.x | N/A |
|-----------------------------------+----------------+-------------------|
| s800i (Asterisk Appliance) | 1.0.x | N/A |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|------------------------------------+-----------------------------------|
| N/A | N/A |
|------------------------------------+-----------------------------------|
|------------------------------------+-----------------------------------|
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | http://www.debian.org/security/2008/dsa-1571 |
| | |
| | http://wiki.debian.org/SSLkeys |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2008-007.pdf and |
| http://downloads.digium.com/pub/security/AST-2008-007.html |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|-------------------+----------------------+-----------------------------|
| May 15, 2008 | Mark Michelson | Initial advisory |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - AST-2008-007
Copyright (c) 2008 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
More information about the Voipsec
mailing list