Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (VoIP)  >   Asterisk Vendors:   Digium (Linux Support Services)
Asterisk TLS Certificate Validation Flaw With Null Byte in Common Name Lets Remote Users Bypass Certificate Validation
SecurityTracker Alert ID:  1032052
SecurityTracker URL:
CVE Reference:   CVE-2015-3008   (Links to External Site)
Date:  Apr 9 2015
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.8.x, 11.x, 12.x, 13.x
Description:   A vulnerability was reported in Asterisk. A remote user can bypass certificate validation.

The system does not properly validate certificates when connecting to a SIP TLS device. A remote server can supply a specially crafted certificate with a common name containing a null byte to spoof a different common name and cause the certificate to be accepted by the target user's system.

The vendor was notified on January 12, 2015.

Maciej Szmigiero reported this vulnerability.

Impact:   A remote server can bypass certificate validation on the target client.
Solution:   The vendor has issued a fix (, 11.17.1, 12.8.2, 13.3.2, 1.8.28-cert5, 11.6-cert11, 13.1-cert2).

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  [FD] AST-2015-003: TLS Certificate Common name NULL byte exploit

               Asterisk Project Security Advisory - AST-2015-003

         Product        Asterisk                                              
         Summary        TLS Certificate Common name NULL byte exploit         
    Nature of Advisory  Man in the Middle Attack                              
      Susceptibility    Remote Authenticated Sessions                         
         Severity       Major                                                 
      Exploits Known    None                                                  
       Reported On      12 January, 2015                                      
       Reported By      Maciej Szmigiero                                      
        Posted On       March 04, 2015                                        
     Last Updated On    April 8, 2015                                         
     Advisory Contact   Jonathan Rose <jrose AT digium DOT com>               
         CVE Name       CVE-2015-3008                                         

   Description When Asterisk registers to a SIP TLS device and and verifies the 
               server, Asterisk will accept signed certificates that match a    
               common name other than the one Asterisk is expecting if the      
               signed certificate has a common name containing a null byte      
               after the portion of the common name that Asterisk expected. For 
               example, if Asterisk is trying to register to,    
               Asterisk will accept certificates of the form                    
     \ - for more information 
               on this exploit, see                                             

    Resolution  Asterisk has been patched to verify that the common name      
                length of the certificate matches the common name that        
                Asterisk actually reads. Asterisk will not accept             
                certificates with common names that contain null bytes.       

                               Affected Versions       
                         Product                       Release  
                  Asterisk Open Source                  1.8.x   All versions  
                  Asterisk Open Source                  11.x    All versions  
                  Asterisk Open Source                  12.x    All versions  
                  Asterisk Open Source                  13.x    All versions  
                   Certified Asterisk                  1.8.28   All versions  
                   Certified Asterisk                   11.6    All versions  
                   Certified Asterisk                   13.1    All versions  

                                  Corrected In
          Product                              Release                        
    Asterisk Open Source , 11.17.1, 12.8.2 13.3.2           
     Certified Asterisk         1.8.28-cert5, 11.6-cert11, 13.1-cert2         

                                 SVN URL                               Revision Certified 
                                                                       1.8.28   Certified 
                                                                       11.6   Certified 
                                                                       13.1    Asterisk  
                                                                       1.8      Asterisk  
                                                                       11       Asterisk  
                                                                       12       Asterisk  


    Asterisk Project Security Advisories are posted at                                                             
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                             and                        

                                Revision History
         Date          Editor                   Revisions Made                
    19 March, 2015  Jonathan Rose  Initial creation of document               
    08 April, 2015  Matt Jordan    Added CVE.                                 

               Asterisk Project Security Advisory - AST-2015-003
              Copyright (c) 2015 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC