SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (VoIP)  >   Asterisk Vendors:   Digium (Linux Support Services)
Asterisk Manager Security Check Bypass Lets Remote Authenticated Users Gain Elevated Privileges
SecurityTracker Alert ID:  1025433
SecurityTracker URL:  http://securitytracker.com/id/1025433
CVE Reference:   CVE-2011-1599   (Links to External Site)
Updated:  Apr 27 2011
Original Entry Date:  Apr 21 2011
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to versions 1.4.40.1, 1.6.1.25, 1.6.2.17.3, 1.8.3.3
Description:   A vulnerability was reported in Asterisk. A remote authenticated user can obtain elevated privileges on the target system.

A remote authenticated user can invoke the Asterisk Manager Interface and send the 'Async' header with the 'Application' header during an Originate action to bypass a security check and execute arbitrary shell commands.

Mark Murawski reported this vulnerability.

Impact:   A remote authenticated user can execute arbitrary shell commands on the target system.
Solution:   The vendor has issued a fix (1.4.40.1, 1.6.1.25, 1.6.2.17.3, 1.8.3.3).

The vendor's advisory is available at:

http://downloads.asterisk.org/pub/security/AST-2011-006.html

Vendor URL:  downloads.asterisk.org/pub/security/AST-2011-006.html (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] AST-2011-006: Asterisk Manager User Shell Access

               Asterisk Project Security Advisory - AST-2011-006

         Product        Asterisk                                              
         Summary        Asterisk Manager User Shell Access                    
    Nature of Advisory  Permission Escalation                                 
      Susceptibility    Remote Authenticated Sessions                         
         Severity       Minor                                                 
      Exploits Known    Yes                                                   
       Reported On      February 10, 2011                                     
       Reported By      Mark Murawski <markm AT intellasoft DOT net>          
        Posted On       April 21, 2011                                        
     Last Updated On    April 21, 2011                                        
     Advisory Contact   Matthew Nicholson <mnicholson@digium.com>             
         CVE Name       

   Description It is possible for a user of the Asterisk Manager Interface to 
               bypass a security check and execute shell commands when they   
               should not have that ability. Sending the "Async" header with  
               the "Application" header during an Originate action, allows    
               authenticated manager users to execute shell commands. Only    
               users with the "system" privilege should be able to do this.   

   Resolution Asterisk now performs the proper access check where appropriate 
              during the originate manager action.                            

                               Affected Versions
                Product              Release Series 
         Asterisk Open Source            1.4.x      All versions              
         Asterisk Open Source           1.6.1.x     All versions              
         Asterisk Open Source           1.6.2.x     All versions              
         Asterisk Open Source            1.8.x      All versions              
       Asterisk Business Edition         C.x.x      All versions              

                                  Corrected In
              Product                               Release                   
        Asterisk Open Source        1.4.40.1, 1.6.1.25, 1.6.2.17.3, 1.8.3.3   
     Asterisk Business Edition                      C.3.6.4                   

                                    Patches                            
                                   URL                                 Branch 
   http://downloads.asterisk.org/pub/security/AST-2011-006-1.4.diff    1.4    
   http://downloads.asterisk.org/pub/security/AST-2011-006-1.6.1.diff  1.6.1  
   http://downloads.asterisk.org/pub/security/AST-2011-006-1.6.2.diff  1.6.2  
   http://downloads.asterisk.org/pub/security/AST-2011-006-1.8.diff    1.8    

          Links         

   Asterisk Project Security Advisories are posted at                         
   http://www.asterisk.org/security                                           
                                                                              
   This document may be superseded by later versions; if so, the latest       
   version will be posted at                                                  
   http://downloads.digium.com/pub/security/AST-2011-006.pdf and              
   http://downloads.digium.com/pub/security/AST-2011-006.html                 

                                Revision History
          Date                 Editor                  Revisions Made         
   4/21/11            Matthew Nicholson        Initial version                

               Asterisk Project Security Advisory - AST-2011-006
              Copyright (c) 2011 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC