OS Command Injection in asterisk (Alpine package)



Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-18610
CWE-ID CWE-78
Exploitation vector Network
Public exploit N/A
Vulnerable software
 asterisk (Alpine package)
Operating systems & Components / Operating system package or component

Vendor Alpine Linux Development Team

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) OS Command Injection

EUVDB-ID: #VU22935

Risk: High

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-18610

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the "manager.c" module. A remote authenticated Asterisk Manager Interface (AMI) user without “system” authorization can use a specially crafted “Originate” AMI request to execute arbitrary system commands.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

asterisk (Alpine package): 13.3.2-r0 - 16.5.1-r0

CPE2.3 External links

https://git.alpinelinux.org/aports/commit/?id=25ffac29e0a3e87794220e04795def02f66a3e81
https://git.alpinelinux.org/aports/commit/?id=38664bd7a807d4b24c0e0482bdb1c041e783469e
https://git.alpinelinux.org/aports/commit/?id=6a36d2a527e316e6506513ef5e5c60b2934f0962


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###