[asterisk-announce] AST-2014-017: <font size="3" style="font-size: 12pt">Permission escalation through ConfBridge actions/dialplan functions</font>

Asterisk Security Team security at asterisk.org
Thu Nov 20 18:15:57 CST 2014


               Asterisk Project Security Advisory - AST-2014-017

         Product        Asterisk                                              
         Summary        Permission escalation through ConfBridge              
                        actions/dialplan functions                            
    Nature of Advisory  Permission Escalation                                 
      Susceptibility    Remote Authenticated Sessions                         
         Severity       Minor                                                 
      Exploits Known    No                                                    
       Reported On      November 4, 2014                                      
       Reported By      Gareth Palmer                                         
        Posted On       20 November, 2014                                     
     Last Updated On    November 20, 2014                                     
     Advisory Contact   Kevin Harwell <kharwell AT digium DOT com>            
         CVE Name       Pending                                               

    Description  The CONFBRIDGE dialplan function when executed from an       
                 external protocol (for instance AMI), could result in a      
                 privilege escalation. Also, the AMI action                   
                 "ConfbridgeStartRecord" could also be used to execute        
                 arbitrary system commands without first checking for system  
                 access.                                                      

    Resolution  Asterisk now inhibits the CONFBRIDGE function from being      
                executed from an external interface if the live_dangerously   
                option is set to no. Also, the "ConfbridgeStartRecord" AMI    
                action is now only allowed to execute under a user with       
                system level access.                                          

                               Affected Versions       
                         Product                       Release  
                                                       Series   
                  Asterisk Open Source                  11.x    All versions  
                  Asterisk Open Source                  12.x    All versions  
                  Asterisk Open Source                  13.x    All versions  
                   Certified Asterisk                   11.6    All versions  

                                  Corrected In
          Product                              Release                        
    Asterisk Open Source               11.14.1, 12.7.1, 13.0.1                
     Certified Asterisk                       11.6-cert8                      

                                     Patches                         
                                SVN URL                              Revision  
   http://downloads.asterisk.org/pub/security/AST-2014-017-11.diff   Asterisk  
                                                                     11        
   http://downloads.asterisk.org/pub/security/AST-2014-017-12.diff   Asterisk  
                                                                     12        
   http://downloads.asterisk.org/pub/security/AST-2014-017-13.diff   Asterisk  
                                                                     13        
   http://downloads.asterisk.org/pub/security/AST-2014-017-11.6.diff Certified 
                                                                     Asterisk  
                                                                     11.6      

    Links  https://issues.asterisk.org/jira/browse/ASTERISK-24490             

    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security                                          
                                                                              
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2014-017.pdf and             
    http://downloads.digium.com/pub/security/AST-2014-017.html                

                                Revision History
          Date            Editor                  Revisions Made              
    November 18, 2014  Kevin Harwell  Initial advisory created                

               Asterisk Project Security Advisory - AST-2014-017
              Copyright (c) 2014 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.




More information about the asterisk-announce mailing list