Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31387
HistoryNov 24, 2014 - 12:00 a.m.

AST-2014-017: Permission escalation through ConfBridge actions/dialplan functions

2014-11-2400:00:00
vulners.com
48
           Asterisk Project Security Advisory - AST-2014-017

     Product        Asterisk                                              
     Summary        Permission escalation through ConfBridge              
                    actions/dialplan functions                            
Nature of Advisory  Permission Escalation                                 
  Susceptibility    Remote Authenticated Sessions                         
     Severity       Minor                                                 
  Exploits Known    No                                                    
   Reported On      November 4, 2014                                      
   Reported By      Gareth Palmer                                         
    Posted On       20 November, 2014                                     
 Last Updated On    November 20, 2014                                     
 Advisory Contact   Kevin Harwell <kharwell AT digium DOT com>            
     CVE Name       Pending                                               

Description  The CONFBRIDGE dialplan function when executed from an       
             external protocol (for instance AMI), could result in a      
             privilege escalation. Also, the AMI action                   
             "ConfbridgeStartRecord" could also be used to execute        
             arbitrary system commands without first checking for system  
             access.                                                      

Resolution  Asterisk now inhibits the CONFBRIDGE function from being      
            executed from an external interface if the live_dangerously   
            option is set to no. Also, the "ConfbridgeStartRecord" AMI    
            action is now only allowed to execute under a user with       
            system level access.                                          

                           Affected Versions       
                     Product                       Release  
                                                   Series   
              Asterisk Open Source                  11.x    All versions  
              Asterisk Open Source                  12.x    All versions  
              Asterisk Open Source                  13.x    All versions  
               Certified Asterisk                   11.6    All versions  

                              Corrected In
      Product                              Release                        
Asterisk Open Source               11.14.1, 12.7.1, 13.0.1                
 Certified Asterisk                       11.6-cert8                      

                                 Patches                         
                            SVN URL                              Revision  

http://downloads.asterisk.org/pub/security/AST-2014-017-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2014-017-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2014-017-13.diff Asterisk
13
http://downloads.asterisk.org/pub/security/AST-2014-017-11.6.diff Certified
Asterisk
11.6

Links  https://issues.asterisk.org/jira/browse/ASTERISK-24490             

Asterisk Project Security Advisories are posted at                        
http://www.asterisk.org/security                                          
                                                                          
This document may be superseded by later versions; if so, the latest      
version will be posted at                                                 
http://downloads.digium.com/pub/security/AST-2014-017.pdf and             
http://downloads.digium.com/pub/security/AST-2014-017.html                

                            Revision History
      Date            Editor                  Revisions Made              
November 18, 2014  Kevin Harwell  Initial advisory created                

           Asterisk Project Security Advisory - AST-2014-017
          Copyright (c) 2014 Digium, Inc. All Rights Reserved.

Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.