Vulnerability Details CVE-2015-3008
Asterisk Open Source 1.8 before 1.8.32.3, 11.x before 11.17.1, 12.x before 12.8.2, and 13.x before 13.3.2 and Certified Asterisk 1.8.28 before 1.8.28-cert5, 11.6 before 11.6-cert11, and 13.1 before 13.1-cert2, when registering a SIP TLS device, does not properly handle a null byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.39
EPSS Ranking 97.1%
CVSS Severity
CVSS v2 Score 4.3
References
- http://advisories.mageia.org/MGASA-2015-0153.html
- http://downloads.asterisk.org/pub/security/AST-2015-003.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162260.html
- http://packetstormsecurity.com/files/131364/Asterisk-Project-Security-Advisory-AST-2015-003.html
- http://seclists.org/fulldisclosure/2015/Apr/22
- http://www.debian.org/security/2016/dsa-3700
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:206
- http://www.securityfocus.com/archive/1/535222/100/0/threaded
- http://www.securityfocus.com/bid/74022
- http://www.securitytracker.com/id/1032052
- http://advisories.mageia.org/MGASA-2015-0153.html
- http://downloads.asterisk.org/pub/security/AST-2015-003.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162260.html
- http://packetstormsecurity.com/files/131364/Asterisk-Project-Security-Advisory-AST-2015-003.html
- http://seclists.org/fulldisclosure/2015/Apr/22
- http://www.debian.org/security/2016/dsa-3700
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:206
- http://www.securityfocus.com/archive/1/535222/100/0/threaded
- http://www.securityfocus.com/bid/74022
- http://www.securitytracker.com/id/1032052
Products affected by CVE-2015-3008
-
cpe:2.3:a:digium:asterisk:1.8.0
-
cpe:2.3:a:digium:asterisk:1.8.1
-
cpe:2.3:a:digium:asterisk:1.8.1.1
-
cpe:2.3:a:digium:asterisk:1.8.1.2
-
cpe:2.3:a:digium:asterisk:1.8.10.0
-
cpe:2.3:a:digium:asterisk:1.8.10.1
-
cpe:2.3:a:digium:asterisk:1.8.11.0
-
cpe:2.3:a:digium:asterisk:1.8.11.1
-
cpe:2.3:a:digium:asterisk:1.8.12
-
cpe:2.3:a:digium:asterisk:1.8.12.0
-
cpe:2.3:a:digium:asterisk:1.8.12.1
-
cpe:2.3:a:digium:asterisk:1.8.12.2
-
cpe:2.3:a:digium:asterisk:1.8.13.0
-
cpe:2.3:a:digium:asterisk:1.8.13.1
-
cpe:2.3:a:digium:asterisk:1.8.14.0
-
cpe:2.3:a:digium:asterisk:1.8.14.1
-
cpe:2.3:a:digium:asterisk:1.8.15.0
-
cpe:2.3:a:digium:asterisk:1.8.15.1
-
cpe:2.3:a:digium:asterisk:1.8.16.0
-
cpe:2.3:a:digium:asterisk:1.8.17.0
-
cpe:2.3:a:digium:asterisk:1.8.18.0
-
cpe:2.3:a:digium:asterisk:1.8.18.1
-
cpe:2.3:a:digium:asterisk:1.8.19.0
-
cpe:2.3:a:digium:asterisk:1.8.19.1
-
cpe:2.3:a:digium:asterisk:1.8.2
-
cpe:2.3:a:digium:asterisk:1.8.2.1
-
cpe:2.3:a:digium:asterisk:1.8.2.2
-
cpe:2.3:a:digium:asterisk:1.8.2.3
-
cpe:2.3:a:digium:asterisk:1.8.2.4
-
cpe:2.3:a:digium:asterisk:1.8.20.0
-
cpe:2.3:a:digium:asterisk:1.8.20.1
-
cpe:2.3:a:digium:asterisk:1.8.20.2
-
cpe:2.3:a:digium:asterisk:1.8.21.0
-
cpe:2.3:a:digium:asterisk:1.8.22.0
-
cpe:2.3:a:digium:asterisk:1.8.23.0
-
cpe:2.3:a:digium:asterisk:1.8.23.1
-
cpe:2.3:a:digium:asterisk:1.8.24.0
-
cpe:2.3:a:digium:asterisk:1.8.24.1
-
cpe:2.3:a:digium:asterisk:1.8.25.0
-
cpe:2.3:a:digium:asterisk:1.8.26.0
-
cpe:2.3:a:digium:asterisk:1.8.26.1
-
cpe:2.3:a:digium:asterisk:1.8.27.0
-
cpe:2.3:a:digium:asterisk:1.8.28.0
-
cpe:2.3:a:digium:asterisk:1.8.28.1
-
cpe:2.3:a:digium:asterisk:1.8.28.2
-
cpe:2.3:a:digium:asterisk:1.8.3
-
cpe:2.3:a:digium:asterisk:1.8.3.1
-
cpe:2.3:a:digium:asterisk:1.8.3.2
-
cpe:2.3:a:digium:asterisk:1.8.3.3
-
cpe:2.3:a:digium:asterisk:1.8.32.0
-
cpe:2.3:a:digium:asterisk:11.0.0
-
cpe:2.3:a:digium:asterisk:11.0.1
-
cpe:2.3:a:digium:asterisk:11.0.2
-
cpe:2.3:a:digium:asterisk:11.1.0
-
cpe:2.3:a:digium:asterisk:11.1.1
-
cpe:2.3:a:digium:asterisk:11.1.2
-
cpe:2.3:a:digium:asterisk:11.10.0
-
cpe:2.3:a:digium:asterisk:11.10.1
-
cpe:2.3:a:digium:asterisk:11.11.0
-
cpe:2.3:a:digium:asterisk:11.12.0
-
cpe:2.3:a:digium:asterisk:11.13.0
-
cpe:2.3:a:digium:asterisk:11.14.0
-
cpe:2.3:a:digium:asterisk:11.15.0
-
cpe:2.3:a:digium:asterisk:11.16.0
-
cpe:2.3:a:digium:asterisk:11.17.0
-
cpe:2.3:a:digium:asterisk:11.2.0
-
cpe:2.3:a:digium:asterisk:11.3.0
-
cpe:2.3:a:digium:asterisk:11.4.0
-
cpe:2.3:a:digium:asterisk:11.5.0
-
cpe:2.3:a:digium:asterisk:11.5.1
-
cpe:2.3:a:digium:asterisk:11.6.0
-
cpe:2.3:a:digium:asterisk:11.7.0
-
cpe:2.3:a:digium:asterisk:11.8.0
-
cpe:2.3:a:digium:asterisk:11.8.1
-
cpe:2.3:a:digium:asterisk:11.9.0
-
cpe:2.3:a:digium:asterisk:12.0.0
-
cpe:2.3:a:digium:asterisk:12.1.0
-
cpe:2.3:a:digium:asterisk:12.1.1
-
cpe:2.3:a:digium:asterisk:12.2.0
-
cpe:2.3:a:digium:asterisk:12.3.0
-
cpe:2.3:a:digium:asterisk:12.3.1
-
cpe:2.3:a:digium:asterisk:12.3.2
-
cpe:2.3:a:digium:asterisk:12.4.0
-
cpe:2.3:a:digium:asterisk:12.5.0
-
cpe:2.3:a:digium:asterisk:12.6.0
-
cpe:2.3:a:digium:asterisk:12.7.0
-
cpe:2.3:a:digium:asterisk:12.7.1
-
cpe:2.3:a:digium:asterisk:12.8.0
-
cpe:2.3:a:digium:asterisk:12.8.1
-
cpe:2.3:a:digium:asterisk:13.0.0
-
cpe:2.3:a:digium:asterisk:13.0.1
-
cpe:2.3:a:digium:asterisk:13.1.0
-
cpe:2.3:a:digium:asterisk:13.2.0
-
cpe:2.3:a:digium:asterisk:13.3.0
-
cpe:2.3:a:digium:asterisk:13.3.1
-
cpe:2.3:a:digium:certified_asterisk:1.8.0.0
-
cpe:2.3:a:digium:certified_asterisk:1.8.1.0
-
cpe:2.3:a:digium:certified_asterisk:1.8.10.0
-
cpe:2.3:a:digium:certified_asterisk:1.8.11
-
cpe:2.3:a:digium:certified_asterisk:1.8.11.0
-
cpe:2.3:a:digium:certified_asterisk:1.8.12.0
-
cpe:2.3:a:digium:certified_asterisk:1.8.13.0
-
cpe:2.3:a:digium:certified_asterisk:1.8.14.0
-
cpe:2.3:a:digium:certified_asterisk:1.8.15
-
cpe:2.3:a:digium:certified_asterisk:1.8.2.0
-
cpe:2.3:a:digium:certified_asterisk:1.8.28
-
cpe:2.3:a:digium:certified_asterisk:1.8.28.0
-
cpe:2.3:a:digium:certified_asterisk:1.8.3.0
-
cpe:2.3:a:digium:certified_asterisk:1.8.4.0
-
cpe:2.3:a:digium:certified_asterisk:1.8.5.0
-
cpe:2.3:a:digium:certified_asterisk:1.8.6.0
-
cpe:2.3:a:digium:certified_asterisk:1.8.7.0
-
cpe:2.3:a:digium:certified_asterisk:1.8.8.0
-
cpe:2.3:a:digium:certified_asterisk:1.8.9.0
-
cpe:2.3:a:digium:certified_asterisk:11.6
-
cpe:2.3:a:digium:certified_asterisk:11.6.0
-
cpe:2.3:a:digium:certified_asterisk:13.1