Asterisk Project Security Advisory - AST-2017-006 Product Asterisk Summary Shell access command injection in app_minivm Nature of Advisory Unauthorized command execution Susceptibility Remote Authenticated Sessions Severity Moderate Exploits Known No Reported On July 1, 2017 Reported By Corey Farrell Posted On Last Updated On July 11, 2017 Advisory Contact Richard Mudgett <rmudgett AT digium DOT com> CVE Name Description The app_minivm module has an â??externnotifyâ?? program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection. Resolution Patched Asteriskâ??s app_minivm module to use a different system call that passes argument strings in an array instead of having the OS shell determine the application parameter boundaries. Affected Versions Product Release Series Asterisk Open Source 11.x All releases Asterisk Open Source 13.x All releases Asterisk Open Source 14.x All releases Certified Asterisk 11.6 All releases Certified Asterisk 13.13 All releases Corrected In Product Release Asterisk Open Source 11.25.2, 13.17.1, 14.6.1 Certified Asterisk 11.6-cert17, 13.13-cert5 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2017-006-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2017-006-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2017-006-14.diff Asterisk 14 http://downloads.asterisk.org/pub/security/AST-2017-006-11.6.diff Certified Asterisk 11.6 http://downloads.asterisk.org/pub/security/AST-2017-006-13.13.diff Certified Asterisk 13.13 Links https://issues.asterisk.org/jira/browse/ASTERISK-27103 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2017-006.pdf and http://downloads.digium.com/pub/security/AST-2017-006.html Revision History Date Editor Revisions Made July 11, 2017 Richard Mudgett Initial document created Asterisk Project Security Advisory - AST-2017-006 Copyright © 2017 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-announce mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-announce