AST-2012-004: Asterisk Manager User Unauthorized Shell Access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

               Asterisk Project Security Advisory - AST-2012-004

          Product         Asterisk                                            
          Summary         Asterisk Manager User Unauthorized Shell Access     
     Nature of Advisory   Permission Escalation                               
       Susceptibility     Remote Authenticated Sessions                       
          Severity        Minor                                               
       Exploits Known     No                                                  
        Reported On       February 23, 2011                                   
        Reported By       David Woolley                                       
         Posted On        April 23, 2012                                      
      Last Updated On     April 23, 2012                                      
      Advisory Contact    Jonathan Rose < jrose AT digium DOT com >           
          CVE Name        

    Description  A user of the Asterisk Manager Interface can bypass a        
                 security check and execute shell commands when they lack     
                 permission to do so. Under normal conditions, a user should  
                 only be able to run shell commands if that user has System   
                 class authorization. Users could bypass this restriction by  
                 using the MixMonitor application with the originate action   
                 or by using either the GetVar or Status manager actions in   
                 combination with the SHELL and EVAL functions. The patch     
                 adds checks in each affected action to verify if a user has  
                 System class authorization. If the user does not have those  
                 authorizations, Asterisk rejects the action if it detects    
                 the use of any functions or applications that run system     

    Resolution  Asterisk now performs checks against manager commands that    
                cause these behaviors for each of the affected actions.       

                               Affected Versions
                 Product               Release Series  
          Asterisk Open Source            1.6.2.x      All versions           
          Asterisk Open Source             1.8.x       All versions           
          Asterisk Open Source              10.x       All versions           
        Asterisk Business Edition          C.3.x       All versions           

                                  Corrected In
                  Product                              Release                
           Asterisk Open Source    ,, 10.3.1       
         Asterisk Business Edition                     C.3.7.4                

                                SVN URL                               Revision v1.6.2   v1.8    v10      


    Asterisk Project Security Advisories are posted at                                                             
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                             and                        

                                Revision History
          Date                  Editor                 Revisions Made         
    04/23/2012               Jonathan Rose             Initial Release              

               Asterisk Project Security Advisory - AST-2012-004
              Copyright (c) 2012 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

-- Bandwidth and Colocation Provided by --
New to Asterisk? Join us for a live introductory webinar every Thurs:

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:

[Gnu Gatekeeper]     [IETF Sipping]     [Info Cyrus]     [ALSA User]     [Fedora Linux Users]     [DCCP]     [Gimp]     [100% Free Online Dating]     [Yosemite News]     [Arts & Crafts]     [Yosemite Photos]     [Deep Creek Hot Springs]     [Yosemite Campsites]     [ISDN Cause Codes]

Add to Google Powered by Linux