BugTraq
/home/putnopvut/asa/AST-2008-007/AST-2008-007: AST-2008-007 Cryptographic keys generated by OpenSSL on Debian-based systems compromised May 22 2008 02:54PM
Asterisk Security Team (security asterisk org) (1 replies)
Asterisk Project Security Advisory - AST-2008-007

+-----------------------------------------------------------------------
-+
| Product | Asterisk |
|--------------------+--------------------------------------------------
-|
| Summary | Asterisk installations using cryptographic keys |
| | generated by Debian-based systems may be using a |
| | vulnerable implementation of OpenSSL |
|--------------------+--------------------------------------------------
-|
| Nature of Advisory | Compromised cryptographic keys |
|--------------------+--------------------------------------------------
-|
| Susceptibility | Users of RSA for IAX2 authentication and users of |
| | DUNDi |
|--------------------+--------------------------------------------------
-|
| Severity | Critical |
|--------------------+--------------------------------------------------
-|
| Exploits Known | None specific to Asterisk, but OpenSSL exploits |
| | are circulating |
|--------------------+--------------------------------------------------
-|
| Reported On | 13 May 2008 |
|--------------------+--------------------------------------------------
-|
| Reported By | Luciano Bello |
|--------------------+--------------------------------------------------
-|
| Posted On | May 16, 2008 |
|--------------------+--------------------------------------------------
-|
| Last Updated On | May 22, 2008 |
|--------------------+--------------------------------------------------
-|
| Advisory Contact | Mark Michelson < mmichelson AT digium DOT com > |
|--------------------+--------------------------------------------------
-|
| CVE Name | CVE-2008-0166 |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Description | The Debian team recently announced that cryptographic |
| | keys generated by their OpenSSL package were created |
| | using a random number generator with predictable |
| | results. This affects Debian's stable and unstable |
| | distributions, as well as Debian-derived systems such as |
| | Ubuntu. See the links in the "Links" session of this |
| | advisory for more information about the vulnerability. |
| | |
| | Asterisk is not directly affected by this vulnerability; |
| | however, Asterisk's 'astgenkey' script uses OpenSSL in |
| | order to generate cryptographic keys. Therefore, |
| | Asterisk users who use RSA for authentication of IAX2 |
| | calls and who use DUNDi may be using compromised keys. |
| | This vulnerability affects any such installation whose |
| | cryptographic keys were generated on a Debian-based |
| | system, even if the Asterisk installation itself is not |
| | on a Debian-based system. |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Resolution | Since this is not a vulnerability in Asterisk itself but |
| | in a tool that Asterisk uses, there will be no new |
| | releases made; however, users who are affected by the |
| | Debian OpenSSL vulnerability are strongly encouraged to |
| | upgrade their package of OpenSSL to an uncompromised |
| | version (version 0.9.8c-4 or later) and regenerate all |
| | keys used by Asterisk. |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Affected Versions |
|-----------------------------------------------------------------------
-|
| Product | Release Series | |
|-----------------------------------+----------------+------------------
-|
| Asterisk Open Source | 1.0.x | N/A |
|-----------------------------------+----------------+------------------
-|
| Asterisk Open Source | 1.2.x | N/A |
|-----------------------------------+----------------+------------------
-|
| Asterisk Open Source | 1.4.x | N/A |
|-----------------------------------+----------------+------------------
-|
| Asterisk Business Edition | A.x.x | N/A |
|-----------------------------------+----------------+------------------
-|
| Asterisk Business Edition | B.x.x | N/A |
|-----------------------------------+----------------+------------------
-|
| Asterisk Business Edition | C.x.x | N/A |
|-----------------------------------+----------------+------------------
-|
| AsteriskNOW | pre-release | N/A |
|-----------------------------------+----------------+------------------
-|
| Asterisk Appliance Developer Kit | 0.x.x | N/A |
|-----------------------------------+----------------+------------------
-|
| s800i (Asterisk Appliance) | 1.0.x | N/A |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Corrected In |
|-----------------------------------------------------------------------
-|
| Product | Release |
|------------------------------------+----------------------------------
-|
| N/A | N/A |
|------------------------------------+----------------------------------
-|
|------------------------------------+----------------------------------
-|
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Links | http://www.debian.org/security/2008/dsa-1571 |
| | |
| | http://wiki.debian.org/SSLkeys |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2008-007.pdf and |
| http://downloads.digium.com/pub/security/AST-2008-007.html |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Revision History |
|-----------------------------------------------------------------------
-|
| Date | Editor | Revisions Made |
|-------------------+----------------------+----------------------------
-|
| May 15, 2008 | Mark Michelson | Initial advisory |
+-----------------------------------------------------------------------
-+

Asterisk Project Security Advisory - AST-2008-007
Copyright (c) 2008 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus