ALERT More Security Issues -- Poodle

BeerCan

Guru
Joined
Nov 25, 2008
Messages
175
Reaction score
30
New security issue to be aware of. Don't know that this one is going to be to large as it seems most modern browsers may already address this but if you use sslv3 anywhere you might want to investigate further. My Firefox was good but Chrome browser failed

https://www.sans.org/webcasts/about-poodle-99032
https://www.poodletest.com/


Some stuff I cut from another thread.
Code:
Is this OpenSSL/GnuTLS/browser specific?
No. It's a protocol (design) bug, not an implementation bug. This means you can't really patch it (unless you're changing the design of the old SSLv3).
 
Is it relevant for HTTPS only or also for IMAP/SMTP/OpenVPN and other protocols with SSL support?
The current attack vector as shown by the researchers works with controlling the plaintext sent to the server using Javascript being run on the victim's machine. This vector does not apply to non-HTTPS scenarios without using a browser.
 
Also, normally an SSL client doesn't allow the session to be downgraded to SSLv3 (having TLSv1+ seen in the handshake capabilities), but browsers want to be very backward compatible and the do. The combination with controlling plaintext and the specific way a HTTP header is built up makes it exploitable.
 
Conclusion: disable SSLv3 for HTTPS now, disable SSLv3 for other services in your next service window.
 
Joined
May 23, 2013
Messages
223
Reaction score
28
For those who want to fix Apache you need to edit your ssl.conf and change SSLProtocol to this line:

SSLProtocol all -SSLv3 -SSLv2

Usually found at /etc/httpd/conf.d/ssl.conf
 
Joined
May 23, 2013
Messages
223
Reaction score
28
Oh and if you are using SSL with Webmin add the following and then restart webmin with /etc/webmin/restart

Fix it by adding ssl_version=10 to /etc/webmin/miniserv.conf
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Thanks, Chris Sweeney! For all PBX in a Flash servers and all Incredible PBX servers on the CentOS/Scientific Linux platforms, this patch should get you squared away:
Code:
sed -i 's|-SSLv2|-SSLv3 -SSLv2|' /etc/httpd/conf.d/ssl.conf
sed -i 's|+SSLv3|-SSLv3 -SSLv2|' /etc/httpd/conf.d/ssl.conf
service httpd restart
echo "ssl_version=10" >> /etc/webmin/miniserv.conf
service webmin restart
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
On the Ubuntu/Debian platforms with Incredible PBX, use the following patch:
Code:
sed -i 's|SSLProtocol all|SSLProtocol all -SSLv3 -SSLv2|' /etc/apache2/mods-available/ssl.conf
/etc/init.d/apache2 restart
echo "ssl_version=10" >> /etc/webmin/miniserv.conf
service webmin restart
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
security releases are released as versions 1.8.28-cert2, 11.6-cert7, 1.8.31.1,
11.13.1, 12.6.1, and 13.0.0-beta3.

These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolves the following security vulnerability:

* AST-2014-011: Asterisk Susceptibility to POODLE Vulnerability

Asterisk is susceptible to the POODLE vulnerability in two ways:
1) The res_jabber and res_xmpp module both use SSLv3 exclusively for their
encrypted connections.
2) The core TLS handling in Asterisk, which is used by the chan_sip channel
driver, Asterisk Manager Interface (AMI), and Asterisk HTTP Server, by
default allow a TLS connection to fallback to SSLv3. This allows for a
MITM to potentially force a connection to fallback to SSLv3, exposing it
to the POODLE vulnerability.

These issues have been resolved in the versions released in conjunction with
this security advisory.


By popular request, here is the latest, all-purpose upgrade script for Asterisk 11.

WARNING: Your server must already be running PIAF-Green or Incredible PBX 11 with some version of Asterisk 11, NOT 10, NOT 12, NOT 13, NOT 1.8, or below!

Code:
cd /root
wget http://pbxinaflash.com/upgrade-asterisk11-piaf.tar.gz
tar zxvf upgrade-asterisk11-piaf.tar.gz
rm upgrade-asterisk11-piaf.tar.gz
./upgrade-asterisk-piaf
 

lrosenman

Guru
Joined
Oct 17, 2014
Messages
221
Reaction score
30
Note: Ward's script expects the expect(1) program, which was NOT installed by default on my RPI B+.

apt-get install expect

will add it. :)
 

directionpointer

New Member
Joined
May 27, 2013
Messages
18
Reaction score
6
Shows Asterisk Source Version = UNKNOWN after the upgrade from Asterisk Source Version 11.12.0 with "Running Asterisk Version" being the same.

Is there any issues with it not seeing the original source version?

System Info:

PIAF Installed Version = 3.0.6.5 under *XEN* on Rent PBX
FreePBX Version = 2.11.0.38
Running Asterisk Version = 11.13.1
Asterisk Source Version = UNKNOWN
Dahdi Source Version = 2.10.0
Libpri Source Version = 1.4.15
IP Address = XXX.XXX.XXX.XXX on eth0
Operating System = Scientific Linux release 6.5
Kernel Version = 2.6.32-431.5.1.el6.i686 - 32 Bit
Incredible Version = 11.10

Error in the script where it ended off:

./upgrade-asterisk-piaf: line 43: /etc/pbx/.version: Permission denied
 

lrosenman

Guru
Joined
Oct 17, 2014
Messages
221
Reaction score
30
the script should be run as root as far as I know, so that's why the permissions error.
 

directionpointer

New Member
Joined
May 27, 2013
Messages
18
Reaction score
6
Except that it was being run as root user.....so should not be the issue...Though I will dig around into file and system permissions as it likely the problem. Was just seeing if anyone else came across the same issue and already had the fix.

Thanks though!
 

kenn10

Well-Known Member
Joined
Dec 16, 2007
Messages
3,764
Reaction score
2,173
This is how I fixed the "Version Unknown" issue:


Just go to /usr/src/ and do a "mv asterisk-11.13.1 asterisk"

Then your status screen will show correctly.
 

darmock

PIAF Developer
Joined
Oct 18, 2007
Messages
2,892
Reaction score
98
differing methodologies I am afraid. Ward and I have to make it consistent. If you use the update-source it should take care of all of it. I have been working on a program that is a cron job and looks to see what is the latest in a family and simply updates it. Trouble is that unless we have already generated the autoconf files it will install with only the bare minimum of choices. So still thinking on this


Tom
 

darmock

PIAF Developer
Joined
Oct 18, 2007
Messages
2,892
Reaction score
98
Autoconf file have to be generated EACH time digium releases a new version. They are saved on our servers and are available for download in the clear.

Unfortunately someone has to GENERATE these files each time and of course it takes TIME. Thus we have an automated process to update asterisk whenever a new version comes out and it works just fine BUT if WE have not generated the autoconf files FOR EACH VERSION then it can't work automatically. Currently the alpha program has had the ability to run it from cron disabled.

When it can't work automatically then the user MUST be dumped in make menuconfig and the choices selected MANUALLY thus it prevents it from working WITHOUT user intervention.

I have been away on vacay for 3 weeks and just getting back up to speed.

Been thinking of rewriting the pre and post install to be universal for various flavors of linux and devices. Then you would have a unified base install for RedHat derived and Ubuntu derived distros... call it PIAF3.5 or PIAF4

Hope this clarifies things

Tom
 

directionpointer

New Member
Joined
May 27, 2013
Messages
18
Reaction score
6
Thanks,

I have had my hands full with a few things, but it does make sense. I did try to run update source, but only gave me 11.12.0 as latest. For better or worse currently used:

/usr/src/​
mv asterisk-11.13.1 asterisk​
Thank you, and will watch for any future updates to this thread.
 

Members online

No members online now.

Forum statistics

Threads
25,782
Messages
167,509
Members
19,202
Latest member
pbxnewguy
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top