[asterisk-security] AST-2014-006: Asterisk Manager User Unauthorized Shell Access

Asterisk Security Team security at asterisk.org
Thu Jun 12 15:45:45 CDT 2014


               Asterisk Project Security Advisory - AST-2014-006

          Product         Asterisk                                            
          Summary         Asterisk Manager User Unauthorized Shell Access     
     Nature of Advisory   Permission Escalation                               
       Susceptibility     Remote Authenticated Sessions                       
          Severity        Minor                                               
       Exploits Known     No                                                  
        Reported On       April 9, 2014                                       
        Reported By       Corey Farrell                                       
         Posted On        June 12, 2014                                       
      Last Updated On     June 12, 2014                                       
      Advisory Contact    Jonathan Rose < jrose AT digium DOT com >           
          CVE Name        CVE-2014-4046                                       

    Description  Manager users can execute arbitrary shell commands with the  
                 MixMonitor manager action. Asterisk does not require system  
                 class authorization for a manager user to use the            
                 MixMonitor action, so any manager user who is permitted to   
                 use manager commands can potentially execute shell commands  
                 as the user executing the Asterisk process.                  

    Resolution  Upgrade to a version with the patch integrated, apply the     
                patch, or do not allow users who should not have permission   
                to run shell commands to use AMI.                             

                               Affected Versions
                 Product               Release Series  
          Asterisk Open Source              11.x       All                    
          Asterisk Open Source              12.x       All                    
           Certified Asterisk               11.6       All                    

                                  Corrected In
                   Product                              Release               
             Asterisk Open Source                   11.10.1, 12.3.1           
              Certified Asterisk                       11.6-cert3             

                                     Patches                         
                                SVN URL                              Revision  
   http://downloads.asterisk.org/pub/security/AST-2014-006-11.diff   Asterisk  
                                                                     11        
   http://downloads.asterisk.org/pub/security/AST-2014-006-12.diff   Asterisk  
                                                                     12        
   http://downloads.asterisk.org/pub/security/AST-2014-006-11.6.diff Certified 
                                                                     Asterisk  
                                                                     11.6      

       Links     https://issues.asterisk.org/jira/browse/ASTERISK-23609       

    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security                                          
                                                                              
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2014-006.pdf and             
    http://downloads.digium.com/pub/security/AST-2014-006.html                

                                Revision History
          Date                  Editor                 Revisions Made         
    April 23, 2014     Jonathan Rose             Document Creation            
    June 12, 2014      Matt Jordan               Added CVE                    

               Asterisk Project Security Advisory - AST-2014-006
              Copyright (c) 2014 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.




More information about the asterisk-security mailing list