Asterisk Project Security Advisory - AST-2011-006 Product Asterisk Summary Asterisk Manager User Shell Access Nature of Advisory Permission Escalation Susceptibility Remote Authenticated Sessions Severity Minor Exploits Known Yes Reported On February 10, 2011 Reported By Mark Murawski Posted On April 21, 2011 Last Updated On April 21, 2011 Advisory Contact Matthew Nicholson CVE Name Description It is possible for a user of the Asterisk Manager Interface to bypass a security check and execute shell commands when they should not have that ability. Sending the "Async" header with the "Application" header during an Originate action, allows authenticated manager users to execute shell commands. Only users with the "system" privilege should be able to do this. Resolution Asterisk now performs the proper access check where appropriate during the originate manager action. Affected Versions Product Release Series Asterisk Open Source 1.4.x All versions Asterisk Open Source 1.6.1.x All versions Asterisk Open Source 1.6.2.x All versions Asterisk Open Source 1.8.x All versions Asterisk Business Edition C.x.x All versions Corrected In Product Release Asterisk Open Source 1.4.40.1, 1.6.1.25, 1.6.2.17.3, 1.8.3.3 Asterisk Business Edition C.3.6.4 Patches URL Branch http://downloads.asterisk.org/pub/security/AST-2011-006-1.4.diff 1.4 http://downloads.asterisk.org/pub/security/AST-2011-006-1.6.1.diff 1.6.1 http://downloads.asterisk.org/pub/security/AST-2011-006-1.6.2.diff 1.6.2 http://downloads.asterisk.org/pub/security/AST-2011-006-1.8.diff 1.8 Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2011-006.pdf and http://downloads.digium.com/pub/security/AST-2011-006.html Revision History Date Editor Revisions Made 4/21/11 Matthew Nicholson Initial version Asterisk Project Security Advisory - AST-2011-006 Copyright (c) 2011 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/