#VU8064 Command injection in Certified Asterisk and Asterisk Open Source - CVE-2017-14100

Cybersecurity Help s.r.o.

Published: 2017-09-01 | Updated: 2017-09-07

Vulnerability identifier: #VU8064

Vulnerability risk: High

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Amber]

CVE-ID: CVE-2017-14100

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Certified Asterisk
Server applications / Conferencing, Collaboration and VoIP solutions
Asterisk Open Source
Server applications / Conferencing, Collaboration and VoIP solutions

Vendor: Digium (Linux Support Services)

Description
The vulnerability allows a remote authenticated attacker to execute arbitrary commands on the target system.

The weakness exists due to input validation flaw in the 'app_minivm' module. A remote attacker can send supply specially crafted caller-id name and number data and execute arbitrary operating system commands.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation
The vulnerability is addressed in the following versions:
Asterisk Open Source - 11.25.2, 13.17.1, 14.6.1.
Certified Asterisk - 11.6-cert17, 13.13-cert5.

Vulnerable software versions

Certified Asterisk: 11.6.0 - 13.13

Asterisk Open Source: 11.0.0 - 11.21.0, 13.0.0 - 13.15.1, 14.0 - 14.4.1

External links
https://downloads.asterisk.org/pub/security/AST-2017-006.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Debian update for asterisk

Multiple vulnerability in Digium Asterisk