PT-2012-3866 · Digium · Asterisk Digiumphones+3

Zubair Ashraf

·

Published

2012-08-31

·

Updated

2024-08-15

·

CVE-2012-2186

CVSS v2.0

9.0

High

VectorAV:N/AC:L/Au:S/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Asterisk Open Source versions 1.8.x through 1.8.15.0 Asterisk Open Source versions 10.x through 10.7.0 Certified Asterisk version 1.8.11 through 1.8.11-cert5 Asterisk Digiumphones versions 10.x.x-digiumphones through 10.7.0-digiumphones Asterisk Business Edition versions C.3.x through C.3.7.5
Description The issue allows remote authenticated users to execute arbitrary commands by leveraging originate privileges and providing an ExternalIVR value in an AMI Originate action, such as "/api/originate" or similar API endpoints, by manipulating the ExternalIVR variable.
Recommendations For Asterisk Open Source versions 1.8.x through 1.8.15.0, update to version 1.8.15.1 or later. For Asterisk Open Source versions 10.x through 10.7.0, update to version 10.7.1 or later. For Certified Asterisk version 1.8.11 through 1.8.11-cert5, update to version 1.8.11-cert6 or later. For Asterisk Digiumphones versions 10.x.x-digiumphones through 10.7.0-digiumphones, update to version 10.7.1-digiumphones or later. For Asterisk Business Edition versions C.3.x through C.3.7.5, update to version C.3.7.6 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Related Identifiers

CVE-2012-2186
DSA-2550-1

Affected Products

Asterisk Business Edition
Asterisk Digiumphones
Asterisk Open Source
Certified Asterisk