VoIP Mailing List Archives :: View topic - [asterisk-users] AST-2014-006: Asterisk Manager User Unauthorized Shell Access

Sponsor: VoiceMeUp - Corporate & Wholesale VoIP Services

VoIP Mailing List Archives
Mailing list archives for the VoIP community

[asterisk-users] AST-2014-006: Asterisk Manager User Unauthorized Shell Access

VoIP Mailing List Archives Forum Index -> Asterisk Users

View previous topic :: View next topic

Author

Message

security at asterisk.org
Guest

Posted: Thu Jun 12, 2014 3:46 pm Post subject: [asterisk-users] AST-2014-006: Asterisk Manager User Unautho

Asterisk Project Security Advisory - AST-2014-006 Product Asterisk Summary Asterisk Manager User Unauthorized Shell Access Nature of Advisory Permission Escalation Susceptibility Remote Authenticated Sessions Severity Minor Exploits Known No Reported On April 9, 2014 Reported By Corey Farrell Posted On June 12, 2014 Last Updated On June 12, 2014 Advisory Contact Jonathan Rose < jrose AT digium DOT com > CVE Name CVE-2014-4046 Description Manager users can execute arbitrary shell commands with the MixMonitor manager action. Asterisk does not require system class authorization for a manager user to use the MixMonitor action, so any manager user who is permitted to use manager commands can potentially execute shell commands as the user executing the Asterisk process. Resolution Upgrade to a version with the patch integrated, apply the patch, or do not allow users who should not have permission to run shell commands to use AMI. Affected Versions Product Release Series Asterisk Open Source 11.x All Asterisk Open Source 12.x All Certified Asterisk 11.6 All Corrected In Product Release Asterisk Open Source 11.10.1, 12.3.1 Certified Asterisk 11.6-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-006-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2014-006-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2014-006-11.6.diff Certified Asterisk 11.6 Links https://issues.asterisk.org/jira/browse/ASTERISK-23609 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-006.pdf and http://downloads.digium.com/pub/security/AST-2014-006.html Revision History Date Editor Revisions Made April 23, 2014 Jonathan Rose Document Creation June 12, 2014 Matt Jordan Added CVE Asterisk Project Security Advisory - AST-2014-006 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users

Display posts from previous:

	VoIP Mailing List Archives Forum Index -> Asterisk Users	All times are GMT - 5 Hours
Page 1 of 1

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum