ALERT More Security Issues -- Poodle

Discussion in 'Bug Reporting and Fixes' started by BeerCan, Oct 15, 2014.

  1. BeerCan

    BeerCan Guru

    Joined:
    Nov 25, 2008
    Messages:
    146
    Likes Received:
    6
    New security issue to be aware of. Don't know that this one is going to be to large as it seems most modern browsers may already address this but if you use sslv3 anywhere you might want to investigate further. My Firefox was good but Chrome browser failed

    https://www.sans.org/webcasts/about-poodle-99032
    https://www.poodletest.com/


    Some stuff I cut from another thread.
    Code:
    Is this OpenSSL/GnuTLS/browser specific?
    No. It's a protocol (design) bug, not an implementation bug. This means you can't really patch it (unless you're changing the design of the old SSLv3).
     
    Is it relevant for HTTPS only or also for IMAP/SMTP/OpenVPN and other protocols with SSL support?
    The current attack vector as shown by the researchers works with controlling the plaintext sent to the server using Javascript being run on the victim's machine. This vector does not apply to non-HTTPS scenarios without using a browser.
     
    Also, normally an SSL client doesn't allow the session to be downgraded to SSLv3 (having TLSv1+ seen in the handshake capabilities), but browsers want to be very backward compatible and the do. The combination with controlling plaintext and the specific way a HTTP header is built up makes it exploitable.
     
    Conclusion: disable SSLv3 for HTTPS now, disable SSLv3 for other services in your next service window.
     
  2. CoinTos

    CoinTos Member

    Joined:
    Jan 5, 2012
    Messages:
    34
    Likes Received:
    7
  3. Chris Sweeney

    Joined:
    May 23, 2013
    Messages:
    223
    Likes Received:
    28
    For those who want to fix Apache you need to edit your ssl.conf and change SSLProtocol to this line:

    SSLProtocol all -SSLv3 -SSLv2

    Usually found at /etc/httpd/conf.d/ssl.conf
     
  4. Chris Sweeney

    Joined:
    May 23, 2013
    Messages:
    223
    Likes Received:
    28
    Oh and if you are using SSL with Webmin add the following and then restart webmin with /etc/webmin/restart

    Fix it by adding ssl_version=10 to /etc/webmin/miniserv.conf
     
  5. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,701
    Likes Received:
    2,512
    Thanks, Chris Sweeney! For all PBX in a Flash servers and all Incredible PBX servers on the CentOS/Scientific Linux platforms, this patch should get you squared away:
    Code:
    sed -i 's|-SSLv2|-SSLv3 -SSLv2|' /etc/httpd/conf.d/ssl.conf
    sed -i 's|+SSLv3|-SSLv3 -SSLv2|' /etc/httpd/conf.d/ssl.conf
    service httpd restart
    echo "ssl_version=10" >> /etc/webmin/miniserv.conf
    service webmin restart
    
     
    markd89 and Trimline2 like this.
  6. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,701
    Likes Received:
    2,512
    On the Ubuntu/Debian platforms with Incredible PBX, use the following patch:
    Code:
    sed -i 's|SSLProtocol all|SSLProtocol all -SSLv3 -SSLv2|' /etc/apache2/mods-available/ssl.conf
    /etc/init.d/apache2 restart
    echo "ssl_version=10" >> /etc/webmin/miniserv.conf
    service webmin restart
    
     
  7. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,701
    Likes Received:
    2,512
    The Asterisk Development Team has announced security releases for Certified
    Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
    security releases are released as versions 1.8.28-cert2, 11.6-cert7, 1.8.31.1,
    11.13.1, 12.6.1, and 13.0.0-beta3.

    These releases are available for immediate download at
    http://downloads.asterisk.org/pub/telephony/asterisk/releases

    The release of these versions resolves the following security vulnerability:

    * AST-2014-011: Asterisk Susceptibility to POODLE Vulnerability

    Asterisk is susceptible to the POODLE vulnerability in two ways:
    1) The res_jabber and res_xmpp module both use SSLv3 exclusively for their
    encrypted connections.
    2) The core TLS handling in Asterisk, which is used by the chan_sip channel
    driver, Asterisk Manager Interface (AMI), and Asterisk HTTP Server, by
    default allow a TLS connection to fallback to SSLv3. This allows for a
    MITM to potentially force a connection to fallback to SSLv3, exposing it
    to the POODLE vulnerability.

    These issues have been resolved in the versions released in conjunction with
    this security advisory.


    By popular request, here is the latest, all-purpose upgrade script for Asterisk 11.

    WARNING: Your server must already be running PIAF-Green or Incredible PBX 11 with some version of Asterisk 11, NOT 10, NOT 12, NOT 13, NOT 1.8, or below!

    Code:
    cd /root
    wget http://pbxinaflash.com/upgrade-asterisk11-piaf.tar.gz
    tar zxvf upgrade-asterisk11-piaf.tar.gz
    rm upgrade-asterisk11-piaf.tar.gz
    ./upgrade-asterisk-piaf
    
     
  8. lrosenman

    lrosenman Guru

    Joined:
    Oct 17, 2014
    Messages:
    222
    Likes Received:
    30
    Note: Ward's script expects the expect(1) program, which was NOT installed by default on my RPI B+.

    apt-get install expect

    will add it. :)
     
    wardmundy likes this.
  9. diatonic

    diatonic New Member

    Joined:
    Aug 5, 2014
    Messages:
    3
    Likes Received:
    0
    darmock Will update-source work on PIAF purple?
     
  10. directionpointer

    directionpointer New Member

    Joined:
    May 27, 2013
    Messages:
    18
    Likes Received:
    6
    Shows Asterisk Source Version = UNKNOWN after the upgrade from Asterisk Source Version 11.12.0 with "Running Asterisk Version" being the same.

    Is there any issues with it not seeing the original source version?

    System Info:

    PIAF Installed Version = 3.0.6.5 under *XEN* on Rent PBX
    FreePBX Version = 2.11.0.38
    Running Asterisk Version = 11.13.1
    Asterisk Source Version = UNKNOWN
    Dahdi Source Version = 2.10.0
    Libpri Source Version = 1.4.15
    IP Address = XXX.XXX.XXX.XXX on eth0
    Operating System = Scientific Linux release 6.5
    Kernel Version = 2.6.32-431.5.1.el6.i686 - 32 Bit
    Incredible Version = 11.10

    Error in the script where it ended off:

    ./upgrade-asterisk-piaf: line 43: /etc/pbx/.version: Permission denied
     
    wardmundy likes this.
  11. lrosenman

    lrosenman Guru

    Joined:
    Oct 17, 2014
    Messages:
    222
    Likes Received:
    30
    the script should be run as root as far as I know, so that's why the permissions error.
     
  12. directionpointer

    directionpointer New Member

    Joined:
    May 27, 2013
    Messages:
    18
    Likes Received:
    6
    Except that it was being run as root user.....so should not be the issue...Though I will dig around into file and system permissions as it likely the problem. Was just seeing if anyone else came across the same issue and already had the fix.

    Thanks though!
     
  13. lrosenman

    lrosenman Guru

    Joined:
    Oct 17, 2014
    Messages:
    222
    Likes Received:
    30
    selinux maybe?
     
  14. kenn10

    kenn10 Guru-ish

    Joined:
    Dec 16, 2007
    Messages:
    801
    Likes Received:
    119
    This is how I fixed the "Version Unknown" issue:


    Just go to /usr/src/ and do a "mv asterisk-11.13.1 asterisk"

    Then your status screen will show correctly.
     
    Albert S likes this.
  15. darmock

    darmock PIAF Developer

    Joined:
    Oct 18, 2007
    Messages:
    2,892
    Likes Received:
    98
    differing methodologies I am afraid. Ward and I have to make it consistent. If you use the update-source it should take care of all of it. I have been working on a program that is a cron job and looks to see what is the latest in a family and simply updates it. Trouble is that unless we have already generated the autoconf files it will install with only the bare minimum of choices. So still thinking on this


    Tom
     
  16. lrosenman

    lrosenman Guru

    Joined:
    Oct 17, 2014
    Messages:
    222
    Likes Received:
    30
    darmock -- what about saving the autoconf files somewhere(tm)?
     
  17. darmock

    darmock PIAF Developer

    Joined:
    Oct 18, 2007
    Messages:
    2,892
    Likes Received:
    98
    Autoconf file have to be generated EACH time digium releases a new version. They are saved on our servers and are available for download in the clear.

    Unfortunately someone has to GENERATE these files each time and of course it takes TIME. Thus we have an automated process to update asterisk whenever a new version comes out and it works just fine BUT if WE have not generated the autoconf files FOR EACH VERSION then it can't work automatically. Currently the alpha program has had the ability to run it from cron disabled.

    When it can't work automatically then the user MUST be dumped in make menuconfig and the choices selected MANUALLY thus it prevents it from working WITHOUT user intervention.

    I have been away on vacay for 3 weeks and just getting back up to speed.

    Been thinking of rewriting the pre and post install to be universal for various flavors of linux and devices. Then you would have a unified base install for RedHat derived and Ubuntu derived distros... call it PIAF3.5 or PIAF4

    Hope this clarifies things

    Tom
     
  18. directionpointer

    directionpointer New Member

    Joined:
    May 27, 2013
    Messages:
    18
    Likes Received:
    6
    Thanks,

    I have had my hands full with a few things, but it does make sense. I did try to run update source, but only gave me 11.12.0 as latest. For better or worse currently used:

    /usr/src/​
    mv asterisk-11.13.1 asterisk​

    Thank you, and will watch for any future updates to this thread.