Asterisk 'externalivr' application Shell Command Execution Security Restriction Bypass Vulnerability
Release date:
Updated on:
Affected Systems:
Asterisk Business Edition C. x. x
Description:
--------------------------------------------------------------------------------
Bugtraq id: 55351
Cve id: CVE-2012-2186
Asterisk is a free and open-source software that enables the Telephone User Switch (PBX) function.
Asterisk Open Source 1.8.15.1 earlier than 1.8.x, 10 before 10.7.1. version x, version 1.8.11 before Certified Asterisk, and 10 before Asterisk Digiumphones 10.7.1-digiumphones. x. main/manager exists in C.3.x before x-digiumphones and Asterisk Business Edition C.3.7.6. the c incomplete blacklist vulnerability allows remote users who have passed identity authentication to execute arbitrary commands through the ExternalIVR value of the original permission and the AMI Originate operation.
<* Source: Zubair Ashraf
Link: http://downloads.asterisk.org/pub/security/AST-2012-012.html
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Asterisk
--------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://downloads.asterisk.org/pub/security/