To: [email protected]
From: "Asterisk Security Team" <security@asterisk.org.>
Subject: /home/putnopvut/asa/AST-2008-007/AST-2008-007: AST-2008-007 Cryptographic keys generated by OpenSSL on Debian-based systems compromised
Message-Id: <E1JzCBZ-0005Oe-0I@mail.digium.com.>
Date: Thu, 22 May 2008 09:54:29 -0500
X-Virus-Scanned: antivirus-gw at tyumen.ru
Asterisk Project Security Advisory - AST-2008-007
+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | Asterisk installations using cryptographic keys |
| | generated by Debian-based systems may be using a |
| | vulnerable implementation of OpenSSL |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Compromised cryptographic keys |
|--------------------+---------------------------------------------------|
| Susceptibility | Users of RSA for IAX2 authentication and users of |
| | DUNDi |
|--------------------+---------------------------------------------------|
| Severity | Critical |
|--------------------+---------------------------------------------------|
| Exploits Known | None specific to Asterisk, but OpenSSL exploits |
| | are circulating |
|--------------------+---------------------------------------------------|
| Reported On | 13 May 2008 |
|--------------------+---------------------------------------------------|
| Reported By | Luciano Bello |
|--------------------+---------------------------------------------------|
| Posted On | May 16, 2008 |
|--------------------+---------------------------------------------------|
| Last Updated On | May 22, 2008 |
|--------------------+---------------------------------------------------|
| Advisory Contact | Mark Michelson < mmichelson AT digium DOT com > |
|--------------------+---------------------------------------------------|
| CVE Name | CVE-2008-0166 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | The Debian team recently announced that cryptographic |
| | keys generated by their OpenSSL package were created |
| | using a random number generator with predictable |
| | results. This affects Debian's stable and unstable |
| | distributions, as well as Debian-derived systems such as |
| | Ubuntu. See the links in the "Links" session of this |
| | advisory for more information about the vulnerability. |
| | |
| | Asterisk is not directly affected by this vulnerability; |
| | however, Asterisk's 'astgenkey' script uses OpenSSL in |
| | order to generate cryptographic keys. Therefore, |
| | Asterisk users who use RSA for authentication of IAX2 |
| | calls and who use DUNDi may be using compromised keys. |
| | This vulnerability affects any such installation whose |
| | cryptographic keys were generated on a Debian-based |
| | system, even if the Asterisk installation itself is not |
| | on a Debian-based system. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | Since this is not a vulnerability in Asterisk itself but |
| | in a tool that Asterisk uses, there will be no new |
| | releases made; however, users who are affected by the |
| | Debian OpenSSL vulnerability are strongly encouraged to |
| | upgrade their package of OpenSSL to an uncompromised |
| | version (version 0.9.8c-4 or later) and regenerate all |
| | keys used by Asterisk. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|-----------------------------------+----------------+-------------------|
| Asterisk Open Source | 1.0.x | N/A |
|-----------------------------------+----------------+-------------------|
| Asterisk Open Source | 1.2.x | N/A |
|-----------------------------------+----------------+-------------------|
| Asterisk Open Source | 1.4.x | N/A |
|-----------------------------------+----------------+-------------------|
| Asterisk Business Edition | A.x.x | N/A |
|-----------------------------------+----------------+-------------------|
| Asterisk Business Edition | B.x.x | N/A |
|-----------------------------------+----------------+-------------------|
| Asterisk Business Edition | C.x.x | N/A |
|-----------------------------------+----------------+-------------------|
| AsteriskNOW | pre-release | N/A |
|-----------------------------------+----------------+-------------------|
| Asterisk Appliance Developer Kit | 0.x.x | N/A |
|-----------------------------------+----------------+-------------------|
| s800i (Asterisk Appliance) | 1.0.x | N/A |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|------------------------------------+-----------------------------------|
| N/A | N/A |
|------------------------------------+-----------------------------------|
|------------------------------------+-----------------------------------|
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | http://www.debian.org/security/2008/dsa-1571 |
| | |
| | http://wiki.debian.org/SSLkeys |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2008-007.pdf and |
| http://downloads.digium.com/pub/security/AST-2008-007.html |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|-------------------+----------------------+-----------------------------|
| May 15, 2008 | Mark Michelson | Initial advisory |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - AST-2008-007
Copyright (c) 2008 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.