CVE-2015-3008 [Medium] | Spoofing in Asterisk

Asterisk Open Source 1.8 before 1.8.32.3, 11.x before 11.17.1, 12.x before 12.8.2, and 13.x before 13.3.2 and Certified Asterisk 1.8.28 before 1.8.28-cert5, 11.6 before 11.6-cert11, and 13.1 before 13.1-cert2, when registering a SIP TLS device, does not properly handle a null byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-12-28	38.23%	39.02%	+0.80%
2	2025-12-27	39.02%	38.23%	-0.80%
3	2025-10-28	—	39.02%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2025-12-28

38.23%

39.02%

+0.80%

2025-12-27

39.02%

38.23%

-0.80%

2025-10-28

—

39.02%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
4.3	2.0	MEDIUM	`AV:N/AC:M/Au:N/C:N/I:P/A:N` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:M) Exploitation needs some favorable conditions, but not exceptional ones. Authentication (AU:N) No authentication is required. Confidentiality impact (C:N) No confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:N) No availability impact.	8.6	2.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

4.3

2.0

MEDIUM

AV:N/AC:M/Au:N/C:N/I:P/A:N Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:M): Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:N): No confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:N): No availability impact.

8.6

2.9

[email protected]

OS Trackers for CVE-2015-3008

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2015-3008 not yet assigned priority: Debian including 1 source packages (asterisk), 2 status rows across 2 suites (bullseye, sid): resolved 2.	https://security-tracker.debian.org/tracker/CVE-2015-3008
`ubuntu`	medium	CVE-2015-3008 medium priority: Ubuntu including 1 source packages (asterisk), 27 status rows across 27 suites (artful, bionic, cosmic, disco, eoan, focal, groovy, hirsute, impish, jammy, kinetic, lucid, lunar, mantic, noble, oracular, plucky, precise, questing, trusty, upstream, utopic, vivid, wily, xenial, yakkety, zesty): not-affected 16, ignored 8, DNE 1, needed 1, released 1.	https://ubuntu.com/security/CVE-2015-3008

Affected software / configurations for CVE-2015-3008

Vendor	Product	Version	Raw CPE
digium	asterisk	1.8.0	cpe:2.3:a:digium:asterisk:1.8.0:::::::*
digium	asterisk	1.8.0	cpe:2.3:a:digium:asterisk:1.8.0:beta1::::::
digium	asterisk	1.8.0	cpe:2.3:a:digium:asterisk:1.8.0:beta2::::::
digium	asterisk	1.8.0	cpe:2.3:a:digium:asterisk:1.8.0:beta3::::::
digium	asterisk	1.8.0	cpe:2.3:a:digium:asterisk:1.8.0:beta4::::::
digium	asterisk	1.8.0	cpe:2.3:a:digium:asterisk:1.8.0:beta5::::::
digium	asterisk	1.8.0	cpe:2.3:a:digium:asterisk:1.8.0:rc2::::::
digium	asterisk	1.8.0	cpe:2.3:a:digium:asterisk:1.8.0:rc3::::::
digium	asterisk	1.8.0	cpe:2.3:a:digium:asterisk:1.8.0:rc4::::::
digium	asterisk	1.8.0	cpe:2.3:a:digium:asterisk:1.8.0:rc5::::::
digium	asterisk	1.8.1	cpe:2.3:a:digium:asterisk:1.8.1:::::::*
digium	asterisk	1.8.1	cpe:2.3:a:digium:asterisk:1.8.1:rc1::::::
digium	asterisk	1.8.1.1	cpe:2.3:a:digium:asterisk:1.8.1.1:::::::*
digium	asterisk	1.8.1.2	cpe:2.3:a:digium:asterisk:1.8.1.2:::::::*
digium	asterisk	1.8.2	cpe:2.3:a:digium:asterisk:1.8.2:::::::*
digium	asterisk	1.8.2.1	cpe:2.3:a:digium:asterisk:1.8.2.1:::::::*
digium	asterisk	1.8.2.2	cpe:2.3:a:digium:asterisk:1.8.2.2:::::::*
digium	asterisk	1.8.2.3	cpe:2.3:a:digium:asterisk:1.8.2.3:::::::*
digium	asterisk	1.8.2.4	cpe:2.3:a:digium:asterisk:1.8.2.4:::::::*
digium	asterisk	1.8.3	cpe:2.3:a:digium:asterisk:1.8.3:::::::*
digium	asterisk	1.8.3	cpe:2.3:a:digium:asterisk:1.8.3:rc1::::::
digium	asterisk	1.8.3	cpe:2.3:a:digium:asterisk:1.8.3:rc2::::::
digium	asterisk	1.8.3	cpe:2.3:a:digium:asterisk:1.8.3:rc3::::::
digium	asterisk	1.8.3.1	cpe:2.3:a:digium:asterisk:1.8.3.1:::::::*
digium	asterisk	1.8.3.2	cpe:2.3:a:digium:asterisk:1.8.3.2:::::::*
digium	asterisk	1.8.3.3	cpe:2.3:a:digium:asterisk:1.8.3.3:::::::*
digium	asterisk	1.8.10.0	cpe:2.3:a:digium:asterisk:1.8.10.0:::::::*
digium	asterisk	1.8.10.0	cpe:2.3:a:digium:asterisk:1.8.10.0:-::::::
digium	asterisk	1.8.10.0	cpe:2.3:a:digium:asterisk:1.8.10.0:rc1::::::
digium	asterisk	1.8.10.0	cpe:2.3:a:digium:asterisk:1.8.10.0:rc2::::::
digium	asterisk	1.8.10.0	cpe:2.3:a:digium:asterisk:1.8.10.0:rc3::::::
digium	asterisk	1.8.10.0	cpe:2.3:a:digium:asterisk:1.8.10.0:rc4::::::
digium	asterisk	1.8.10.1	cpe:2.3:a:digium:asterisk:1.8.10.1:::::::*
digium	asterisk	1.8.11.0	cpe:2.3:a:digium:asterisk:1.8.11.0:::::::*
digium	asterisk	1.8.11.0	cpe:2.3:a:digium:asterisk:1.8.11.0:-::::::
digium	asterisk	1.8.11.0	cpe:2.3:a:digium:asterisk:1.8.11.0:patch::::::
digium	asterisk	1.8.11.0	cpe:2.3:a:digium:asterisk:1.8.11.0:rc2::::::
digium	asterisk	1.8.11.0	cpe:2.3:a:digium:asterisk:1.8.11.0:rc3::::::
digium	asterisk	1.8.11.1	cpe:2.3:a:digium:asterisk:1.8.11.1:::::::*
digium	asterisk	1.8.11.1	cpe:2.3:a:digium:asterisk:1.8.11.1:-::::::
digium	asterisk	1.8.11.1	cpe:2.3:a:digium:asterisk:1.8.11.1:patch::::::
digium	asterisk	1.8.12	cpe:2.3:a:digium:asterisk:1.8.12:::::::*
digium	asterisk	1.8.12.0	cpe:2.3:a:digium:asterisk:1.8.12.0:::::::*
digium	asterisk	1.8.12.0	cpe:2.3:a:digium:asterisk:1.8.12.0:-::::::
digium	asterisk	1.8.12.0	cpe:2.3:a:digium:asterisk:1.8.12.0:rc1::::::
digium	asterisk	1.8.12.0	cpe:2.3:a:digium:asterisk:1.8.12.0:rc2::::::
digium	asterisk	1.8.12.0	cpe:2.3:a:digium:asterisk:1.8.12.0:rc3::::::
digium	asterisk	1.8.12.1	cpe:2.3:a:digium:asterisk:1.8.12.1:::::::*
digium	asterisk	1.8.12.2	cpe:2.3:a:digium:asterisk:1.8.12.2:::::::*
digium	asterisk	1.8.13.0	cpe:2.3:a:digium:asterisk:1.8.13.0:::::::*
digium	asterisk	1.8.13.0	cpe:2.3:a:digium:asterisk:1.8.13.0:rc1::::::
digium	asterisk	1.8.13.0	cpe:2.3:a:digium:asterisk:1.8.13.0:rc2::::::
digium	asterisk	1.8.13.1	cpe:2.3:a:digium:asterisk:1.8.13.1:::::::*
digium	asterisk	1.8.14.0	cpe:2.3:a:digium:asterisk:1.8.14.0:-::::::
digium	asterisk	1.8.14.0	cpe:2.3:a:digium:asterisk:1.8.14.0:patch::::::
digium	asterisk	1.8.14.0	cpe:2.3:a:digium:asterisk:1.8.14.0:rc1::::::
digium	asterisk	1.8.14.0	cpe:2.3:a:digium:asterisk:1.8.14.0:rc2::::::
digium	asterisk	1.8.14.1	cpe:2.3:a:digium:asterisk:1.8.14.1:::::::*
digium	asterisk	1.8.14.1	cpe:2.3:a:digium:asterisk:1.8.14.1:-::::::
digium	asterisk	1.8.14.1	cpe:2.3:a:digium:asterisk:1.8.14.1:patch::::::
digium	asterisk	1.8.15.0	cpe:2.3:a:digium:asterisk:1.8.15.0:::::::*
digium	asterisk	1.8.15.0	cpe:2.3:a:digium:asterisk:1.8.15.0:-::::::
digium	asterisk	1.8.15.0	cpe:2.3:a:digium:asterisk:1.8.15.0:rc1::::::
digium	asterisk	1.8.15.1	cpe:2.3:a:digium:asterisk:1.8.15.1:::::::*
digium	asterisk	1.8.16.0	cpe:2.3:a:digium:asterisk:1.8.16.0:::::::*
digium	asterisk	1.8.16.0	cpe:2.3:a:digium:asterisk:1.8.16.0:-::::::
digium	asterisk	1.8.16.0	cpe:2.3:a:digium:asterisk:1.8.16.0:rc1::::::
digium	asterisk	1.8.16.0	cpe:2.3:a:digium:asterisk:1.8.16.0:rc2::::::
digium	asterisk	1.8.17.0	cpe:2.3:a:digium:asterisk:1.8.17.0:::::::*
digium	asterisk	1.8.17.0	cpe:2.3:a:digium:asterisk:1.8.17.0:-::::::
digium	asterisk	1.8.17.0	cpe:2.3:a:digium:asterisk:1.8.17.0:patch::::::
digium	asterisk	1.8.17.0	cpe:2.3:a:digium:asterisk:1.8.17.0:rc1::::::
digium	asterisk	1.8.17.0	cpe:2.3:a:digium:asterisk:1.8.17.0:rc2::::::
digium	asterisk	1.8.17.0	cpe:2.3:a:digium:asterisk:1.8.17.0:rc3::::::
digium	asterisk	1.8.18.0	cpe:2.3:a:digium:asterisk:1.8.18.0:::::::*
digium	asterisk	1.8.18.0	cpe:2.3:a:digium:asterisk:1.8.18.0:-::::::
digium	asterisk	1.8.18.0	cpe:2.3:a:digium:asterisk:1.8.18.0:rc1::::::
digium	asterisk	1.8.18.1	cpe:2.3:a:digium:asterisk:1.8.18.1:::::::*
digium	asterisk	1.8.19.0	cpe:2.3:a:digium:asterisk:1.8.19.0:::::::*
digium	asterisk	1.8.19.0	cpe:2.3:a:digium:asterisk:1.8.19.0:-::::::

References for CVE-2015-3008

URL	Tags
http://advisories.mageia.org/MGASA-2015-0153.html
http://downloads.asterisk.org/pub/security/AST-2015-003.html	Vendor Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162260.html
http://packetstormsecurity.com/files/131364/Asterisk-Project-Security-Advisory-AST-2015-003.html
http://seclists.org/fulldisclosure/2015/Apr/22
http://www.debian.org/security/2016/dsa-3700
http://www.mandriva.com/security/advisories?name=MDVSA-2015:206
http://www.securityfocus.com/archive/1/535222/100/0/threaded
http://www.securityfocus.com/bid/74022
http://www.securitytracker.com/id/1032052

URL

CVE-2015-3008

Exploit prediction scoring system (EPSS) score for CVE-2015-3008

Common vulnerability scoring system (CVSS) metrics for CVE-2015-3008

Weakness enumeration for CVE-2015-3008

OS Trackers for CVE-2015-3008

Affected software / configurations for CVE-2015-3008

References for CVE-2015-3008