lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 21 Nov 2019 16:46:02 -0600
From: "Asterisk Security Team" <>
Subject: AST-2019-007: AMI user could execute system commands.

               Asterisk Project Security Advisory - AST-2019-007

         Product        Asterisk                                              
         Summary        AMI user could execute system commands.               
    Nature of Advisory  Remote Code Execution                                 
      Susceptibility    Remote Authenticated Sessions                         
         Severity       Minor                                                 
      Exploits Known    No                                                    
       Reported On      October 10, 2019                                      
       Reported By      Eliel Sarda��ons                                       
        Posted On       November 21, 2019                                     
     Last Updated On    November 21, 2019                                     
     Advisory Contact   gjoseph AT digium DOT com                             
         CVE Name       CVE-2019-18610                                        

      Description     A remote authenticated Asterisk Manager Interface       
                      (AMI) user without ���system��� authorization could use a   
                      specially crafted ���Originate��� AMI request to execute    
                      arbitrary system commands.                              
    Modules Affected  manager.c                                               

    Resolution  The specific parameters of the Originate AMI request that     
                allowed the remote code execution are now blocked if the      
                user does not have the ���system��� authorization.                

                               Affected Versions       
                         Product                       Release  
                  Asterisk Open Source                  13.x    All releases  
                  Asterisk Open Source                  16.x    All releases  
                  Asterisk Open Source                  17.x    All releases  
                   Certified Asterisk                   13.21   All releases  

                                  Corrected In                   
                              Product                              Release    
                       Asterisk Open Source                        13.29.2    
                       Asterisk Open Source                        16.6.2     
                       Asterisk Open Source                        17.0.1     
                        Certified Asterisk                       13.21-cert5  

                               SVN URL                                Revision    Asterisk 13    Asterisk 16    Asterisk 17 Certified   


    Asterisk Project Security Advisories are posted at                                                             
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                             and                        

                                Revision History
          Date            Editor                  Revisions Made              
    October 24, 2019   George Joseph  Initial Revision                        
    November 21, 2019  Ben Ford       Added ���Posted On��� date                  

               Asterisk Project Security Advisory - AST-2019-007
               Copyright �� 2019 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

Powered by blists - more mailing lists