lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <E1dnVCW-0002z5-Jk@mail.digium.com> Date: Thu, 31 Aug 2017 14:32:28 -0500 From: "Asterisk Security Team" <security@...erisk.org> To: fulldisclosure@...lists.org Subject: [FD] AST-2017-006: Shell access command injection in app_minivm Asterisk Project Security Advisory - AST-2017-006 Product Asterisk Summary Shell access command injection in app_minivm Nature of Advisory Unauthorized command execution Susceptibility Remote Authenticated Sessions Severity Moderate Exploits Known No Reported On July 1, 2017 Reported By Corey Farrell Posted On Last Updated On July 11, 2017 Advisory Contact Richard Mudgett <rmudgett AT digium DOT com> CVE Name Description The app_minivm module has an “externnotify” program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection. Resolution Patched Asterisk’s app_minivm module to use a different system call that passes argument strings in an array instead of having the OS shell determine the application parameter boundaries. Affected Versions Product Release Series Asterisk Open Source 11.x All releases Asterisk Open Source 13.x All releases Asterisk Open Source 14.x All releases Certified Asterisk 11.6 All releases Certified Asterisk 13.13 All releases Corrected In Product Release Asterisk Open Source 11.25.2, 13.17.1, 14.6.1 Certified Asterisk 11.6-cert17, 13.13-cert5 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2017-006-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2017-006-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2017-006-14.diff Asterisk 14 http://downloads.asterisk.org/pub/security/AST-2017-006-11.6.diff Certified Asterisk 11.6 http://downloads.asterisk.org/pub/security/AST-2017-006-13.13.diff Certified Asterisk 13.13 Links https://issues.asterisk.org/jira/browse/ASTERISK-27103 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2017-006.pdf and http://downloads.digium.com/pub/security/AST-2017-006.html Revision History Date Editor Revisions Made July 11, 2017 Richard Mudgett Initial document created Asterisk Project Security Advisory - AST-2017-006 Copyright © 2017 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists