Asterisk Security Team
2019-Nov-21 22:46 UTC
[asterisk-announce] AST-2019-007: AMI user could execute system commands.
Asterisk Project Security Advisory - AST-2019-007
Product Asterisk
Summary AMI user could execute system commands.
Nature of Advisory Remote Code Execution
Susceptibility Remote Authenticated Sessions
Severity Minor
Exploits Known No
Reported On October 10, 2019
Reported By Eliel Sardañons
Posted On November 21, 2019
Last Updated On November 21, 2019
Advisory Contact gjoseph AT digium DOT com
CVE Name CVE-2019-18610
Description A remote authenticated Asterisk Manager Interface
(AMI) user without “system” authorization could use a
specially crafted “Originate” AMI request to execute
arbitrary system commands.
Modules Affected manager.c
Resolution The specific parameters of the Originate AMI request that
allowed the remote code execution are now blocked if the
user does not have the “system” authorization.
Affected Versions
Product Release
Series
Asterisk Open Source 13.x All releases
Asterisk Open Source 16.x All releases
Asterisk Open Source 17.x All releases
Certified Asterisk 13.21 All releases
Corrected In
Product Release
Asterisk Open Source 13.29.2
Asterisk Open Source 16.6.2
Asterisk Open Source 17.0.1
Certified Asterisk 13.21-cert5
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2019-007-13.diff Asterisk 13
http://downloads.asterisk.org/pub/security/AST-2019-007-16.diff Asterisk 16
http://downloads.asterisk.org/pub/security/AST-2019-007-17.diff Asterisk 17
http://downloads.asterisk.org/pub/security/AST-2019-007-13.21.diff Certified
Asterisk
13.21-cert5
Links https://issues.asterisk.org/jira/browse/ASTERISK-28580
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2019-007.pdf and
http://downloads.digium.com/pub/security/AST-2019-007.html
Revision History
Date Editor Revisions Made
October 24, 2019 George Joseph Initial Revision
November 21, 2019 Ben Ford Added “Posted On” date
Asterisk Project Security Advisory - AST-2019-007
Copyright © 2019 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Seemingly Similar Threads
- Asterisk 13.29.2, 16.6.2, 17.0.1 and 13.21-cert5 Now Available (Security)
- AST-2019-006: SIP request can change address of a SIP peer.
- AST-2019-008: Re-invite with T.38 and malformed SDP causes crash.
- AST-2019-002: Remote crash vulnerability with MESSAGE messages
- AST-2017-007: Remote Crash Vulerability in res_pjsip
Wisdom of the Ancients
