Asterisk Project Security Advisory - AST-2019-007

Product

Asterisk

Summary

AMI user could execute system commands.

Nature of Advisory

Remote Code Execution

Susceptibility

Remote Authenticated Sessions

Severity

Minor

Exploits Known

No

Reported On

October 10, 2019

Reported By

Eliel Sardañons

Posted On

November 21, 2019

Last Updated On

November 21, 2019

Advisory Contact

gjoseph AT digium DOT com

CVE Name

CVE-2019-18610



Description

A remote authenticated Asterisk Manager Interface (AMI) user without “system” authorization could use a specially crafted “Originate” AMI request to execute arbitrary system commands.

Modules Affected

manager.c


Resolution

The specific parameters of the Originate AMI request that allowed the remote code execution are now blocked if the user does not have the “system” authorization.


Affected Versions

Product

Release Series


Asterisk Open Source

13.x

All releases

Asterisk Open Source

16.x

All releases

Asterisk Open Source

17.x

All releases

Certified Asterisk

13.21

All releases


Corrected In

Product

Release

Asterisk Open Source

13.29.2

Asterisk Open Source

16.6.2

Asterisk Open Source

17.0.1

Certified Asterisk

13.21-cert5


Patches

SVN URL

Revision

http://downloads.asterisk.org/pub/security/AST-2019-007-13.diff

Asterisk 13

http://downloads.asterisk.org/pub/security/AST-2019-007-16.diff

Asterisk 16

http://downloads.asterisk.org/pub/security/AST-2019-007-17.diff

Asterisk 17

http://downloads.asterisk.org/pub/security/AST-2019-007-13.21.diff

Certified Asterisk 13.21-cert5



Links

https://issues.asterisk.org/jira/browse/ASTERISK-28580


Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2019-007.pdf and http://downloads.digium.com/pub/security/AST-2019-007.html


Revision History

Date

Editor

Revisions Made

October 24, 2019

George Joseph

Initial Revision

November 21, 2019

Ben Ford

Added “Posted On” date


Asterisk Project Security Advisory - AST-2019-007
Copyright © 2019 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.