Product | Asterisk |
Summary | GetConfig AMI Action can read files outside of Asterisk directory |
Nature of Advisory | Escalation of Privileges |
Susceptibility | Remote Authenticated Sessions |
Severity | Minor |
Exploits Known | No |
Reported On | August 11, 2022 |
Reported By | shawty |
Posted On |
|
Last Updated On | November 30, 2022 |
Advisory Contact | mbradeen AT sangoma DOT com |
CVE Name | CVE-2022-42706 |
Description | AMI Users with “config” permissions may read files outside of Asterisk directory via GetConfig AMI Action even if “live_dangerously" is set to "no" |
Modules Affected | manager |
Resolution | The Asterisk Manager Interface has been modified to respect the Asterisk "live_dangerously" flag for GetConfig actions and will now prevent access to files outside of the Asterisk configuration directory if "live_dangerously" is set to "no". Administrators should upgrade to the latest version of Asterisk to get this capability and should also remove the "config" permission from manager users who don't need it. |
Affected Versions | ||
Product | Release Series |
|
Asterisk Open Source | 16.x | All Versions |
Asterisk Open Source | 18.x | All Versions |
Asterisk Open Source | 19.x | All Versions |
Asterisk Open Source | 20.x | All Versions |
Certified Asterisk | 18.9.x | All Versions |
Corrected In | |
Product | Release |
Asterisk Open Source | 16.29.1, 18.15.1, 19.7.1, 20.0.1 |
Certified Asterisk | Certified-18.9-cert3 |
Patches | |
Patch URL | Revision |
https://downloads.digium.com/pub/security/AST-2022-009-16.diff | Asterisk 16 |
https://downloads.digium.com/pub/security/AST-2022-009-18.diff | Asterisk 18 |
https://downloads.digium.com/pub/security/AST-2022-009-19.diff | Asterisk 19 |
https://downloads.digium.com/pub/security/AST-2022-009-20.diff | Asterisk 20 |
https://downloads.digium.com/pub/security/AST-2022-009-18.9.diff | Certified Asterisk 18.9 |
Links | https://issues.asterisk.org/jira/browse/ASTERISK-30176 https://downloads.asterisk.org/pub/security/AST-2022-009.html |
Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2022-009.pdf and https://downloads.digium.com/pub/security/AST-2022-009.html |
Revision History | ||
Date | Editor | Revisions Made |
|
|
|