SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (VoIP)  >   Asterisk Vendors:   Digium (Linux Support Services)
Asterisk AMI Originate Action Lets Remote Authenticated Users Gain Elevated Privileges
SecurityTracker Alert ID:  1027460
SecurityTracker URL:  http://securitytracker.com/id/1027460
CVE Reference:   CVE-2012-2186   (Links to External Site)
Date:  Aug 31 2012
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.8.x prior to 1.8.15.1, 10.x prior to 10.7.1
Description:   A vulnerability was reported in Asterisk. A remote authenticated user can gain elevated privileges on the target system.

A remote authenticated user with 'originate' class authorization can perform actions that ostensibly require 'system' class authorization.

The vendor was notified on July 13, 2012.

Zubair Ashraf of IBM X-Force Research reported this vulnerability.

Impact:   A remote authenticated user can gain elevated privileges on the target system.
Solution:   The vendor has issued a fix (1.8.15.1, 10.7.1).

The vendor's advisory is available at:

http://downloads.asterisk.org/pub/security/AST-2012-012.html

Vendor URL:  downloads.asterisk.org/pub/security/AST-2012-012.html (Links to External Site)
Cause:   Access control error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Date:  Thu, 30 Aug 2012 15:45:19 -0500
Subject:  [Full-disclosure] AST-2012-012: Asterisk Manager User Unauthorized Shell Access

               Asterisk Project Security Advisory - AST-2012-012

          Product         Asterisk                                            
          Summary         Asterisk Manager User Unauthorized Shell Access     
     Nature of Advisory   Permission Escalation                               
       Susceptibility     Remote Authenticated Sessions                       
          Severity        Minor                                               
       Exploits Known     No                                                  
        Reported On       July 13, 2012                                       
        Reported By       Zubair Ashraf of IBM X-Force Research               
         Posted On        August 30, 2012                                     
      Last Updated On     August 30, 2012                                     
      Advisory Contact    Matt Jordan < mjordan AT digium DOT com >           
          CVE Name        CVE-2012-2186                                       

    Description  The AMI Originate action can allow a remote user to specify  
                 information that can be used to execute shell commands on    
                 the system hosting Asterisk. This can result in an unwanted  
                 escalation of permissions, as the Originate action, which    
                 requires the "originate" class authorization, can be used    
                 to perform actions that would typically require the          
                 "system" class authorization. Previous attempts to prevent   
                 this permission escalation (AST-2011-006, AST-2012-004)      
                 have sought to do so by inspecting the names of              
                 applications and functions passed in with the Originate      
                 action and, if those applications/functions matched a        
                 predefined set of values, rejecting the command if the user  
                 lacked the "system" class authorization. As reported by IBM  
                 X-Force Research, the "ExternalIVR" application is not       
                 listed in the predefined set of values. The solution for     
                 this particular vulnerability is to include the              
                 "ExternalIVR" application in the set of defined              
                 applications/functions that require "system" class           
                 authorization.                                               
                                                                              
                 Unfortunately, the approach of inspecting fields in the      
                 Originate action against known applications/functions has a  
                 significant flaw. The predefined set of values can be        
                 bypassed by creative use of the Originate action or by       
                 certain dialplan configurations, which is beyond the         
                 ability of Asterisk to analyze at run-time. Attempting to    
                 work around these scenarios would result in severely         
                 restricting the applications or functions and prevent their  
                 usage for legitimate means. As such, any additional          
                 security vulnerabilities, where an application/function      
                 that would normally require the "system" class               
                 authorization can be executed by users with the "originate"  
                 class authorization, will not be addressed. Instead, the     
                 README-SERIOUSLY.bestpractices.txt file has been updated to  
                 reflect that the AMI Originate action can result in          
                 commands requiring the "system" class authorization to be    
                 executed. Proper system configuration can limit the impact   
                 of such scenarios.                                           
                                                                              
                 The next release of each version of Asterisk will contain,   
                 in addition to the fix for the "ExternalIVR" application,    
                 an updated README-SERIOUSLY.bestpractices.txt file.          

    Resolution  Asterisk now checks for the "ExternalIVR" application when    
                processing the Originate action.                              
                                                                              
                Additionally, the README-SERIOUSLY.bestpractices.txt file     
                has been updated. It is highly recommended that, if AMI is    
                utilized with accounts that have the "originate" class        
                authorization, Asterisk is run under a defined user that      
                does not have root permissions. Accounts with the             
                "originate" class authorization should be treated in a        
                similar manner to those with the "system" class               
                authorization.                                                

                               Affected Versions
               Product                 Release Series       
        Asterisk Open Source                1.8.x           All versions      
        Asterisk Open Source                10.x            All versions      
         Certified Asterisk                1.8.11           All versions      
        Asterisk Digiumphones        10.x.x-digiumphones    All versions      
      Asterisk Business Edition             C.3.x           All versions      

                                  Corrected In
                   Product                              Release               
             Asterisk Open Source                   1.8.15.1, 10.7.1          
              Certified Asterisk                      1.8.11-cert6            
            Asterisk Digiumphones                 10.7.1-digiumphones         
          Asterisk Business Edition                     C.3.7.6               

                                    Patches                         
                               SVN URL                              Revision  
   http://downloads.asterisk.org/pub/security/AST-2012-012-1.8.diff Asterisk  
                                                                       1.8    
    http:downloads.asterisk.org/pub/security/AST-2012-012-10.diff   Asterisk  
                                                                       10     

       Links     https://issues.asterisk.org/jira/browse/ASTERISK-20132       

    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security                                          
                                                                              
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2012-012.pdf and             
    http://downloads.digium.com/pub/security/AST-2012-012.html                

                                Revision History
          Date                  Editor                 Revisions Made         
    08/27/2012         Matt Jordan               Initial version              

               Asterisk Project Security Advisory - AST-2012-012
              Copyright (c) 2012 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC