Multiple vulnerabilities in Digium Asterisk and Certified Asterisk
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2019-18790 CVE-2019-18976 CVE-2019-18610 |
| CWE-ID | CWE-284 CWE-20 CWE-78 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Asterisk Open Source Server applications / Conferencing, Collaboration and VoIP solutions Certified Asterisk Server applications / Conferencing, Collaboration and VoIP solutions |
| Vendor | Digium (Linux Support Services) |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU22934
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-18790
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote attacker can send a specially crafted SIP request, change a SIP peer’s IP address and hijack the calls.
Note: This vulnerability is only exploitable when the “nat” option is set to the default, or “auto_force_rport”.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAsterisk Open Source: 13.0.0 - 17.0.0
Certified Asterisk: 13.21-cert1 - 13.21
CPE2.3- cpe:2.3:a:digium_linux_support_services:asterisk:13.29.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium_linux_support_services:asterisk:16.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium_linux_support_services:asterisk:17.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium_linux_support_services:certified_asterisk:13.21:*:*:*:*:rv110w_wireless-n_vpn_firewall:*:*
https://seclists.org/fulldisclosure/2019/Nov/18
https://www.asterisk.org/downloads/security-advisories
https://issues.asterisk.org/jira/browse/ASTERISK-28589
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU22936
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-18976
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in the "res_pjsip_t38.c" module. A remote attacker can cause a denial of service condition when Asterisk receives a re-invite initiating T.38 faxing and has a port of 0 and no c line in the SDP.
Install updates from vendor's website.
Vulnerable software versionsAsterisk Open Source: 13.0.0 - 13.29.1
Certified Asterisk: 13.21-cert1 - 13.21
CPE2.3https://seclists.org/fulldisclosure/2019/Nov/20
https://issues.asterisk.org/jira/browse/ASTERISK-28612
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) OS Command Injection
EUVDB-ID: #VU22935
Risk: High
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-18610
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the "manager.c" module. A remote authenticated Asterisk Manager Interface (AMI) user without “system” authorization can use a specially crafted “Originate” AMI request to execute arbitrary system commands.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAsterisk Open Source: 13.0.0 - 17.0.0
Certified Asterisk: 13.21-cert1 - 13.21
CPE2.3https://seclists.org/fulldisclosure/2019/Nov/19
https://issues.asterisk.org/jira/browse/ASTERISK-28580
https://www.asterisk.org/downloads/security-advisories
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
