Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:30796
HistoryJun 13, 2014 - 12:00 a.m.

AST-2014-006: Asterisk Manager User Unauthorized Shell Access

2014-06-1300:00:00
vulners.com
11
JSON
           Asterisk Project Security Advisory - AST-2014-006

      Product         Asterisk                                            
      Summary         Asterisk Manager User Unauthorized Shell Access     
 Nature of Advisory   Permission Escalation                               
   Susceptibility     Remote Authenticated Sessions                       
      Severity        Minor                                               
   Exploits Known     No                                                  
    Reported On       April 9, 2014                                       
    Reported By       Corey Farrell                                       
     Posted On        June 12, 2014                                       
  Last Updated On     June 12, 2014                                       
  Advisory Contact    Jonathan Rose < jrose AT digium DOT com >           
      CVE Name        CVE-2014-4046                                       

Description  Manager users can execute arbitrary shell commands with the  
             MixMonitor manager action. Asterisk does not require system  
             class authorization for a manager user to use the            
             MixMonitor action, so any manager user who is permitted to   
             use manager commands can potentially execute shell commands  
             as the user executing the Asterisk process.                  

Resolution  Upgrade to a version with the patch integrated, apply the     
            patch, or do not allow users who should not have permission   
            to run shell commands to use AMI.                             

                           Affected Versions
             Product               Release Series  
      Asterisk Open Source              11.x       All                    
      Asterisk Open Source              12.x       All                    
       Certified Asterisk               11.6       All                    

                              Corrected In
               Product                              Release               
         Asterisk Open Source                   11.10.1, 12.3.1           
          Certified Asterisk                       11.6-cert3             

                                 Patches                         
                            SVN URL                              Revision

http://downloads.asterisk.org/pub/security/AST-2014-006-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2014-006-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2014-006-11.6.diff Certified
Asterisk
11.6

   Links     https://issues.asterisk.org/jira/browse/ASTERISK-23609       

Asterisk Project Security Advisories are posted at                        
http://www.asterisk.org/security                                          
                                                                          
This document may be superseded by later versions; if so, the latest      
version will be posted at                                                 
http://downloads.digium.com/pub/security/AST-2014-006.pdf and             
http://downloads.digium.com/pub/security/AST-2014-006.html                

                            Revision History
      Date                  Editor                 Revisions Made         
April 23, 2014     Jonathan Rose             Document Creation            
June 12, 2014      Matt Jordan               Added CVE                    

           Asterisk Project Security Advisory - AST-2014-006
          Copyright (c) 2014 Digium, Inc. All Rights Reserved.

Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

Related

nessus 5
ubuntucve 1
debiancve 1
prion 1
cve 1
mageia 1
freebsd 1
gentoo 1
openvas 1
securityvulns 1
osv 1
debian 1
nessus
nessus
Asterisk Manager Interface MixMonitor Privilege Escalation (AST-2014-006)
2014-06-17 00:00:00
GLSA-201406-25 : Asterisk: Multiple vulnerabilities
2014-06-26 00:00:00
FreeBSD : asterisk -- multiple vulnerabilities (f109b02f-f5a4-11e3-82e9-00a098b18457)
2014-06-18 00:00:00
ubuntucve
ubuntucve
CVE-2014-4046
2014-06-17 00:00:00
debiancve
debiancve
CVE-2014-4046
2014-06-17 14:55:00
prion
prion
Deserialization of untrusted data
2014-06-17 14:55:00
cve
cve
CVE-2014-4046
2014-06-17 14:55:00
mageia
mageia
Updated asterisk packages fix security vulnerabilities
2014-07-26 16:52:06
freebsd
freebsd
asterisk -- multiple vulnerabilities
2014-06-12 00:00:00
gentoo
gentoo
Asterisk: Multiple vulnerabilities
2014-06-25 00:00:00
openvas
openvas
Gentoo Security Advisory GLSA 201406-25
2015-09-29 00:00:00
securityvulns
securityvulns
Asterisk multiple security vulnerabilities
2014-06-13 00:00:00
osv
osv
asterisk - security update
2016-05-03 00:00:00
debian
debian
[SECURITY] [DLA 455-1] asterisk security update
2016-05-03 20:31:18
JSON
Related for SECURITYVULNS:DOC:30796
nessus5ubuntucve1debiancve1prion1cve1mageia1freebsd1gentoo1openvas1securityvulns1osv1debian1