Main Vulnerability Database SB2019120225

SB2019120225 - OS Command Injection in asterisk (Alpine package)

Published: December 2, 2019

Security Bulletin ID SB2019120225

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) OS Command Injection (CVE-ID: CVE-2019-18610)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the "manager.c" module. A remote authenticated Asterisk Manager Interface (AMI) user without “system” authorization can use a specially crafted “Originate” AMI request to execute arbitrary system commands.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=25ffac29e0a3e87794220e04795def02f66a3e81
https://git.alpinelinux.org/aports/commit/?id=38664bd7a807d4b24c0e0482bdb1c041e783469e
https://git.alpinelinux.org/aports/commit/?id=6a36d2a527e316e6506513ef5e5c60b2934f0962