Asterisk Project Security Advisory – AST-2014-018
|
Product |
Asterisk |
|
Summary |
AMI permission escalation through DB dialplan function |
|
Nature of Advisory |
Permission Escalation |
|
Susceptibility |
Remote Authenticated Sessions |
|
Severity |
Minor |
|
Exploits Known |
No |
|
Reported On |
November 17, 2014 |
|
Reported By |
Gareth Palmer |
|
Posted On |
20 November, 2014 |
|
Last Updated On |
|
|
Advisory Contact |
Kevin Harwell <kharwell AT digium DOT com> |
|
CVE Name |
CVE-2014-8418 |
|
Description |
The DB dialplan function when executed from an external protocol (for instance AMI), could result in a privilege escalation. |
|
Resolution |
Asterisk now inhibits the DB function from being executed from an external interface if the live_dangerously option is set to no.
|
|
Affected Versions |
||
|
Product |
Release Series |
|
|
Certified Asterisk |
1.8 |
All versions |
|
Certified Asterisk |
11.6 |
All versions |
|
Asterisk Open Source |
1.8.x |
All versions |
|
Asterisk Open Source |
11.x |
All versions |
|
Asterisk Open Source |
12.x |
All versions |
|
Asterisk Open Source |
13.x |
All versions |
|
Corrected In |
|
|
Product |
Release |
|
Asterisk Open Source |
1.8.32.1,11.14.1, 12.7.1, 13.0.1 |
|
Certified Asterisk |
1.8.28-cert3,11.6-cert8 |
|
Patches |
|
|
SVN URL |
Revision |
|
http://downloads.asterisk.org/pub/security/AST-2014-018-1.8.28.diff |
Certified Asterisk 1.8 |
|
http://downloads.asterisk.org/pub/security/AST-2014-018-11.6.diff |
Certified Asterisk 11.6 |
|
http://downloads.asterisk.org/pub/security/AST-2014-018-1.8.diff |
Asterisk 1.8 |
|
http://downloads.asterisk.org/pub/security/AST-2014-018-11.diff |
Asterisk 11 |
|
http://downloads.asterisk.org/pub/security/AST-2014-018-12.diff |
Asterisk 12 |
|
http://downloads.asterisk.org/pub/security/AST-2014-018-13.diff |
Asterisk 13 |
|
Links |
https://issues.asterisk.org/jira/browse/ASTERISK-24534 |
|
Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later
versions; if so, the latest version will be posted at
http://downloads.digium.com/pub/security/ |
|
Revision History |
||
|
Date |
Editor |
Revisions Made |
|
November 18, 2014 |
Kevin Harwell |
Initial advisory created |
Asterisk
Project Security Advisory - AST-2014-018
Copyright
©
Permission is hereby granted
to distribute and publish this advisory in its original, unaltered
form.