#VU32755 Permissions, Privileges, and Access Controls in Asterisk Open Source - CVE-2012-4737

Cybersecurity Help s.r.o.

Published: 2012-08-31 | Updated: 2020-07-28

Vulnerability identifier: #VU32755

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2012-4737

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Asterisk Open Source
Server applications / Conferencing, Collaboration and VoIP solutions

Vendor: Digium (Linux Support Services)

Description

The vulnerability allows a remote #AU# to read and manipulate data.

channels/chan_iax2.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert7, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 does not enforce ACL rules during certain uses of peer credentials, which allows remote authenticated users to bypass intended outbound-call restrictions by leveraging the availability of these credentials.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Asterisk Open Source: 1.8.11.0 - 1.8.11.1

External links
https://downloads.asterisk.org/pub/security/AST-2012-013.html
https://secunia.com/advisories/50687
https://secunia.com/advisories/50756
https://www.debian.org/security/2012/dsa-2550
https://www.securityfocus.com/bid/55335
https://www.securitytracker.com/id?1027461

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Permissions, Privileges, and Access Controls in asterisk (Alpine package)

Permissions, Privileges, and Access Controls in Asterisk