4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.905 High
EPSS
Percentile
98.8%
Asterisk Open Source 1.8 before 1.8.32.3, 11.x before 11.17.1, 12.x before
12.8.2, and 13.x before 13.3.2 and Certified Asterisk 1.8.28 before
1.8.28-cert5, 11.6 before 11.6-cert11, and 13.1 before 13.1-cert2, when
registering a SIP TLS device, does not properly handle a null byte in a
domain name in the subject’s Common Name (CN) field of an X.509
certificate, which allows man-in-the-middle attackers to spoof arbitrary
SSL servers via a crafted certificate issued by a legitimate Certification
Authority.
downloads.asterisk.org/pub/security/AST-2015-003.html
packetstormsecurity.com/files/131364/Asterisk-Project-Security-Advisory-AST-2015-003.html
seclists.org/fulldisclosure/2015/Apr/22
www.securitytracker.com/id/1032052
issues.asterisk.org/jira/browse/ASTERISK-24847
launchpad.net/bugs/cve/CVE-2015-3008
nvd.nist.gov/vuln/detail/CVE-2015-3008
security-tracker.debian.org/tracker/CVE-2015-3008
www.cve.org/CVERecord?id=CVE-2015-3008