Asterisk Project Security Advisory - AST-2014-018 Product Asterisk Summary AMI permission escalation through DB dialplan function Nature of Advisory Permission Escalation Susceptibility Remote Authenticated Sessions Severity Minor Exploits Known No Reported On November 17, 2014 Reported By Gareth Palmer Posted On 20 November, 2014 Last Updated On November 20, 2014 Advisory Contact Kevin Harwell <kharwell AT digium DOT com> CVE Name Pending Description The DB dialplan function when executed from an external protocol (for instance AMI), could result in a privilege escalation. Resolution Asterisk now inhibits the DB function from being executed from an external interface if the live_dangerously option is set to no. Affected Versions Product Release Series Certified Asterisk 1.8 All versions Certified Asterisk 11.6 All versions Asterisk Open Source 1.8.x All versions Asterisk Open Source 11.x All versions Asterisk Open Source 12.x All versions Asterisk Open Source 13.x All versions Corrected In Product Release Asterisk Open Source 1.8.32.1,11.14.1, 12.7.1, 13.0.1 Certified Asterisk 1.8.28-cert3,11.6-cert8 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-018-1.8.28.diff Certified Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2014-018-11.6.diff Certified Asterisk 11.6 http://downloads.asterisk.org/pub/security/AST-2014-018-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2014-018-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2014-018-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2014-018-13.diff Asterisk 13 Links https://issues.asterisk.org/jira/browse/ASTERISK-24534 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-018.pdf and http://downloads.digium.com/pub/security/AST-2014-018.html Revision History Date Editor Revisions Made November 18, 2014 Kevin Harwell Initial advisory created Asterisk Project Security Advisory - AST-2014-018 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.