Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Full Disclosure: /home/putnopvut/asa/AST-2008-007/AST-2008-007: AST-2008-007 Cryptographic keys generated by OpenSSL on Debian-based systems compromised

/home/putnopvut/asa/AST-2008-007/AST-2008-007: AST-2008-007 Cryptographic keys generated by OpenSSL on Debian-based systems compromised

From: Asterisk Security Team <security_at_asterisk.org>
Date: Thu, 22 May 2008 09:54:29 -0500

               Asterisk Project Security Advisory - AST-2008-007

   +------------------------------------------------------------------------+
   | Product | Asterisk |
   |--------------------+---------------------------------------------------|
   | Summary | Asterisk installations using cryptographic keys |
   | | generated by Debian-based systems may be using a |
   | | vulnerable implementation of OpenSSL |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Compromised cryptographic keys |
   |--------------------+---------------------------------------------------|
   | Susceptibility | Users of RSA for IAX2 authentication and users of |
   | | DUNDi |
   |--------------------+---------------------------------------------------|
   | Severity | Critical |
   |--------------------+---------------------------------------------------|
   | Exploits Known | None specific to Asterisk, but OpenSSL exploits |
   | | are circulating |
   |--------------------+---------------------------------------------------|
   | Reported On | 13 May 2008 |
   |--------------------+---------------------------------------------------|
   | Reported By | Luciano Bello |
   |--------------------+---------------------------------------------------|
   | Posted On | May 16, 2008 |
   |--------------------+---------------------------------------------------|
   | Last Updated On | May 22, 2008 |
   |--------------------+---------------------------------------------------|
   | Advisory Contact | Mark Michelson < mmichelson AT digium DOT com > |
   |--------------------+---------------------------------------------------|
   | CVE Name | CVE-2008-0166 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | The Debian team recently announced that cryptographic |
   | | keys generated by their OpenSSL package were created |
   | | using a random number generator with predictable |
   | | results. This affects Debian's stable and unstable |
   | | distributions, as well as Debian-derived systems such as |
   | | Ubuntu. See the links in the "Links" session of this |
   | | advisory for more information about the vulnerability. |
   | | |
   | | Asterisk is not directly affected by this vulnerability; |
   | | however, Asterisk's 'astgenkey' script uses OpenSSL in |
   | | order to generate cryptographic keys. Therefore, |
   | | Asterisk users who use RSA for authentication of IAX2 |
   | | calls and who use DUNDi may be using compromised keys. |
   | | This vulnerability affects any such installation whose |
   | | cryptographic keys were generated on a Debian-based |
   | | system, even if the Asterisk installation itself is not |
   | | on a Debian-based system. |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | Since this is not a vulnerability in Asterisk itself but |
   | | in a tool that Asterisk uses, there will be no new |
   | | releases made; however, users who are affected by the |
   | | Debian OpenSSL vulnerability are strongly encouraged to |
   | | upgrade their package of OpenSSL to an uncompromised |
   | | version (version 0.9.8c-4 or later) and regenerate all |
   | | keys used by Asterisk. |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Affected Versions |
   |------------------------------------------------------------------------|
   | Product | Release Series | |
   |-----------------------------------+----------------+-------------------|
   | Asterisk Open Source | 1.0.x | N/A |
   |-----------------------------------+----------------+-------------------|
   | Asterisk Open Source | 1.2.x | N/A |
   |-----------------------------------+----------------+-------------------|
   | Asterisk Open Source | 1.4.x | N/A |
   |-----------------------------------+----------------+-------------------|
   | Asterisk Business Edition | A.x.x | N/A |
   |-----------------------------------+----------------+-------------------|
   | Asterisk Business Edition | B.x.x | N/A |
   |-----------------------------------+----------------+-------------------|
   | Asterisk Business Edition | C.x.x | N/A |
   |-----------------------------------+----------------+-------------------|
   | AsteriskNOW | pre-release | N/A |
   |-----------------------------------+----------------+-------------------|
   | Asterisk Appliance Developer Kit | 0.x.x | N/A |
   |-----------------------------------+----------------+-------------------|
   | s800i (Asterisk Appliance) | 1.0.x | N/A |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Corrected In |
   |------------------------------------------------------------------------|
   | Product | Release |
   |------------------------------------+-----------------------------------|
   | N/A | N/A |
   |------------------------------------+-----------------------------------|
   |------------------------------------+-----------------------------------|
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Links | http://www.debian.org/security/2008/dsa-1571 |
   | | |
   | | http://wiki.debian.org/SSLkeys |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at |
   | http://www.asterisk.org/security |
   | |
   | This document may be superseded by later versions; if so, the latest |
   | version will be posted at |
   | http://downloads.digium.com/pub/security/AST-2008-007.pdf and |
   | http://downloads.digium.com/pub/security/AST-2008-007.html |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Revision History |
   |------------------------------------------------------------------------|
   | Date | Editor | Revisions Made |
   |-------------------+----------------------+-----------------------------|
   | May 15, 2008 | Mark Michelson | Initial advisory |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2008-007
              Copyright (c) 2008 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Received on May 22 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]