<div dir="ltr"><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Asterisk Security Team</b> <span dir="ltr"><<a href="mailto:security@asterisk.org">security@asterisk.org</a>></span><br>Date: 2016-02-03 23:59 GMT-02:00<br>Subject: [asterisk-dev] AST-2016-001: BEAST vulnerability in HTTP server<br>To: <a href="mailto:asterisk-dev@lists.digium.com">asterisk-dev@lists.digium.com</a><br><br><br> Asterisk Project Security Advisory - AST-2016-001<br>
<br>
Product Asterisk<br>
Summary BEAST vulnerability in HTTP server<br>
Nature of Advisory Unauthorized data disclosure due to<br>
man-in-the-middle attack<br>
Susceptibility Remote unauthenticated sessions<br>
Severity Minor<br>
Exploits Known Yes<br>
Reported On 04/15/15<br>
Reported By Alex A. Welzl<br>
Posted On 02/03/16<br>
Last Updated On February 3, 2016<br>
Advisory Contact Joshua Colp <jcolp AT digium DOT com><br>
CVE Name Pending<br>
<br>
Description The Asterisk HTTP server currently has a default<br>
configuration which allows the BEAST vulnerability to be<br>
exploited if the TLS functionality is enabled. This can<br>
allow a man-in-the-middle attack to decrypt data passing<br>
through it.<br>
<br>
Resolution Additional configuration options have been added to Asterisk<br>
which allow configuration of the HTTP server to not be<br>
susceptible to the BEAST vulnerability. These include<br>
options to confirm the permitted ciphers, to control what<br>
TLS protocols are allowed, and to use server cipher<br>
preference order instead of client preference order. The<br>
default configuration has also been changed for the HTTP<br>
server to use a configuration which is not susceptible to<br>
the BEAST vulnerability.<br>
<br>
Affected Versions<br>
Product Release<br>
Series<br>
Asterisk Open Source 1.8.x All Versions<br>
Asterisk Open Source 11.x All Versions<br>
Asterisk Open Source 12.x All Versions<br>
Asterisk Open Source 13.x All Versions<br>
Certified Asterisk 1.8.28 All Versions<br>
Certified Asterisk 11.6 All Versions<br>
Certified Asterisk 13.1 All Versions<br>
<br>
Corrected In<br>
Product Release<br>
Asterisk Open Source 11.21.1, 13.7.1<br>
Certified Asterisk 11.6-cert12, 13.1-cert3<br>
<br>
Patches<br>
SVN URL Revision<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2016-001-1.8.28.diff" rel="noreferrer" target="_blank">http://downloads.asterisk.org/pub/security/AST-2016-001-1.8.28.diff</a> Certified<br>
Asterisk<br>
1.8.28<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2016-001-11.6.diff" rel="noreferrer" target="_blank">http://downloads.asterisk.org/pub/security/AST-2016-001-11.6.diff</a> Certified<br>
Asterisk<br>
11.6<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2016-001-13.1.diff" rel="noreferrer" target="_blank">http://downloads.asterisk.org/pub/security/AST-2016-001-13.1.diff</a> Certified<br>
Asterisk<br>
13.1<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2016-001-11.diff" rel="noreferrer" target="_blank">http://downloads.asterisk.org/pub/security/AST-2016-001-11.diff</a> Asterisk<br>
11<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2016-001-12.diff" rel="noreferrer" target="_blank">http://downloads.asterisk.org/pub/security/AST-2016-001-12.diff</a> Asterisk<br>
12<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2016-001-13.diff" rel="noreferrer" target="_blank">http://downloads.asterisk.org/pub/security/AST-2016-001-13.diff</a> Asterisk<br>
13<br>
<br>
Links <a href="https://issues.asterisk.org/jira/browse/ASTERISK-24972" rel="noreferrer" target="_blank">https://issues.asterisk.org/jira/browse/ASTERISK-24972</a><br>
<br>
Asterisk Project Security Advisories are posted at<br>
<a href="http://www.asterisk.org/security" rel="noreferrer" target="_blank">http://www.asterisk.org/security</a><br>
<br>
This document may be superseded by later versions; if so, the latest<br>
version will be posted at<br>
<a href="http://downloads.digium.com/pub/security/AST-2016-001.pdf" rel="noreferrer" target="_blank">http://downloads.digium.com/pub/security/AST-2016-001.pdf</a> and<br>
<a href="http://downloads.digium.com/pub/security/AST-2016-001.html" rel="noreferrer" target="_blank">http://downloads.digium.com/pub/security/AST-2016-001.html</a><br>
<br>
Revision History<br>
Date Editor Revisions Made<br>
3 August, 2015 Joshua Colp Initial creation of document<br>
<br>
Asterisk Project Security Advisory - AST-2016-001<br>
Copyright (c) 2015 Digium, Inc. All Rights Reserved.<br>
Permission is hereby granted to distribute and publish this advisory in its<br>
original, unaltered form.<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" rel="noreferrer" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-dev mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-dev" rel="noreferrer" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-dev</a><br>
</font></span></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><span style="font-family:trebuchet ms,sans-serif">Sylvio Jollenbeck</span><div><span style="font-family:trebuchet ms,sans-serif">skype: sylvio.jollenbeck<br><font size="1"><a href="http://www.hosannatecnologia.com.br/" target="_blank">www.hosannatecnologia.com.br</a></font></span><br><img src="http://www.hosannatecnologia.com.br/pixel.fw.png"><br></div></div></div>
</div>