CVE-2017-14100

Name of the Vulnerable Software and Affected Versions Asterisk versions 11.x through 11.25.1 Asterisk versions 13.x through 13.17.0 Asterisk versions 14.x through 14.6.0 Certified Asterisk versions 11.x through 11.6-cert16 Certified Asterisk versions 13.x through 13.13-cert4

Description The issue is related to the app minivm module in Asterisk and Certified Asterisk, where the "externnotify" program configuration option is executed by the MinivmNotify dialplan application. This application uses the caller-id name and caller-id number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and caller-id number can come from an untrusted source, a crafted caller-id name or caller-id number allows an arbitrary shell command injection. This can be exploited by a remote attacker to execute arbitrary commands.

Recommendations For Asterisk versions 11.x through 11.25.1, update to version 11.25.2 or later. For Asterisk versions 13.x through 13.17.0, update to version 13.17.1 or later. For Asterisk versions 14.x through 14.6.0, update to version 14.6.1 or later. For Certified Asterisk versions 11.x through 11.6-cert16, update to version 11.6-cert17 or later. For Certified Asterisk versions 13.x through 13.13-cert4, update to version 13.13-cert5 or later.