PT-2011-3245 · Digium · Asterisk Business Edition+1
Publicado
2011-04-27
·
Atualizado
2011-09-07
·
CVE-2011-1599
CVSS v2.0
9.0
Alta
| Vetor | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Asterisk Open Source versions 1.4.x through 1.4.40.1
Asterisk Open Source versions 1.6.1.x through 1.6.1.25
Asterisk Open Source versions 1.6.2.x through 1.6.2.17.3
Asterisk Open Source versions 1.8.x through 1.8.3.3
Asterisk Business Edition C.x.x through C.3.6.4
Description
The issue arises from improper system privilege checking in the Manager Interface, allowing remote authenticated users to execute arbitrary commands. This can be achieved via an Originate action that includes an Async header in conjunction with an Application header.
Recommendations
For Asterisk Open Source versions 1.4.x through 1.4.40.1, update to version 1.4.40.1 or later.
For Asterisk Open Source versions 1.6.1.x through 1.6.1.25, update to version 1.6.1.25 or later.
For Asterisk Open Source versions 1.6.2.x through 1.6.2.17.3, update to version 1.6.2.17.3 or later.
For Asterisk Open Source versions 1.8.x through 1.8.3.3, update to version 1.8.3.3 or later.
For Asterisk Business Edition C.x.x through C.3.6.4, update to version C.3.6.4 or later.
Correção
RCE
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Asterisk Business Edition
Asterisk Open Source