CVE-2015-3008

Name of the Vulnerable Software and Affected Versions Asterisk Open Source versions 1.8 before 1.8.32.3 Asterisk Open Source versions 11.x before 11.17.1 Asterisk Open Source versions 12.x before 12.8.2 Asterisk Open Source versions 13.x before 13.3.2 Certified Asterisk versions 1.8.28 before 1.8.28-cert5 Certified Asterisk versions 11.6 before 11.6-cert11 Certified Asterisk versions 13.1 before 13.1-cert2

Description The issue arises when registering a SIP TLS device and does not properly handle a null byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate. This allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.

Recommendations For Asterisk Open Source version 1.8, update to version 1.8.32.3 or later. For Asterisk Open Source version 11.x, update to version 11.17.1 or later. For Asterisk Open Source version 12.x, update to version 12.8.2 or later. For Asterisk Open Source version 13.x, update to version 13.3.2 or later. For Certified Asterisk version 1.8.28, update to version 1.8.28-cert5 or later. For Certified Asterisk version 11.6, update to version 11.6-cert11 or later. For Certified Asterisk version 13.1, update to version 13.1-cert2 or later.