Asterisk 'externalivr' application Shell Command Execution Security Restriction Bypass Vulnerability

Asterisk 'externalivr' application Shell Command Execution Security Restriction Bypass Vulnerability

Release date:
Updated on:

Affected Systems:
Asterisk Business Edition C. x. x
Description:
--------------------------------------------------------------------------------
Bugtraq id: 55351
Cve id: CVE-2012-2186

Asterisk is a free and open-source software that enables the Telephone User Switch (PBX) function.

Asterisk Open Source 1.8.15.1 earlier than 1.8.x, 10 before 10.7.1. version x, version 1.8.11 before Certified Asterisk, and 10 before Asterisk Digiumphones 10.7.1-digiumphones. x. main/manager exists in C.3.x before x-digiumphones and Asterisk Business Edition C.3.7.6. the c incomplete blacklist vulnerability allows remote users who have passed identity authentication to execute arbitrary commands through the ExternalIVR value of the original permission and the AMI Originate operation.

<* Source: Zubair Ashraf

Link: http://downloads.asterisk.org/pub/security/AST-2012-012.html
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Asterisk
--------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://downloads.asterisk.org/pub/security/