CVE-2012-2414
First published: Mon Apr 30 2012(Updated: )
main/manager.c in the Manager Interface in Asterisk Open Source 1.6.2.x before 1.6.2.24, 1.8.x before 1.8.11.1, and 10.x before 10.3.1 and Asterisk Business Edition C.3.x before C.3.7.4 does not properly enforce System class authorization requirements, which allows remote authenticated users to execute arbitrary commands via (1) the originate action in the MixMonitor application, (2) the SHELL and EVAL functions in the GetVar manager action, or (3) the SHELL and EVAL functions in the Status manager action.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Asterisk | =1.6.2.0 | |
| Asterisk | =1.6.2.0-rc2 | |
| Asterisk | =1.6.2.0-rc3 | |
| Asterisk | =1.6.2.0-rc4 | |
| Asterisk | =1.6.2.0-rc5 | |
| Asterisk | =1.6.2.0-rc6 | |
| Asterisk | =1.6.2.0-rc7 | |
| Asterisk | =1.6.2.0-rc8 | |
| Asterisk | =1.6.2.1 | |
| Asterisk | =1.6.2.1-rc1 | |
| Asterisk | =1.6.2.2 | |
| Asterisk | =1.6.2.3-rc2 | |
| Asterisk | =1.6.2.4 | |
| Asterisk | =1.6.2.5 | |
| Asterisk | =1.6.2.6 | |
| Asterisk | =1.6.2.6-rc1 | |
| Asterisk | =1.6.2.6-rc2 | |
| Asterisk | =1.6.2.7 | |
| Asterisk | =1.6.2.7-rc1 | |
| Asterisk | =1.6.2.7-rc2 | |
| Asterisk | =1.6.2.7-rc3 | |
| Asterisk | =1.6.2.8 | |
| Asterisk | =1.6.2.8-rc1 | |
| Asterisk | =1.6.2.9 | |
| Asterisk | =1.6.2.9-rc1 | |
| Asterisk | =1.6.2.9-rc2 | |
| Asterisk | =1.6.2.9-rc3 | |
| Asterisk | =1.6.2.10 | |
| Asterisk | =1.6.2.10-rc1 | |
| Asterisk | =1.6.2.10-rc2 | |
| Asterisk | =1.6.2.11 | |
| Asterisk | =1.6.2.11-rc1 | |
| Asterisk | =1.6.2.11-rc2 | |
| Asterisk | =1.6.2.12 | |
| Asterisk | =1.6.2.12-rc1 | |
| Asterisk | =1.6.2.13 | |
| Asterisk | =1.6.2.14 | |
| Asterisk | =1.6.2.14-rc1 | |
| Asterisk | =1.6.2.15 | |
| Asterisk | =1.6.2.15-rc1 | |
| Asterisk | =1.6.2.15.1 | |
| Asterisk | =1.6.2.16 | |
| Asterisk | =1.6.2.16-rc1 | |
| Asterisk | =1.6.2.16.1 | |
| Asterisk | =1.6.2.16.2 | |
| Asterisk | =1.6.2.17 | |
| Asterisk | =1.6.2.17-rc1 | |
| Asterisk | =1.6.2.17-rc2 | |
| Asterisk | =1.6.2.17-rc3 | |
| Asterisk | =1.6.2.17.1 | |
| Asterisk | =1.6.2.17.2 | |
| Asterisk | =1.6.2.17.3 | |
| Asterisk | =1.6.2.18 | |
| Asterisk | =1.6.2.18-rc1 | |
| Asterisk | =1.6.2.18.1 | |
| Asterisk | =1.6.2.18.2 | |
| Asterisk | =1.6.2.19 | |
| Asterisk | =1.6.2.19-rc1 | |
| Asterisk | =1.6.2.20 | |
| Asterisk | =1.6.2.21 | |
| Asterisk | =1.6.2.22 | |
| Asterisk | =1.6.2.23 | |
| Asterisk | =1.8.0 | |
| Asterisk | =1.8.0-beta1 | |
| Asterisk | =1.8.0-beta2 | |
| Asterisk | =1.8.0-beta3 | |
| Asterisk | =1.8.0-beta4 | |
| Asterisk | =1.8.0-beta5 | |
| Asterisk | =1.8.0-rc2 | |
| Asterisk | =1.8.0-rc3 | |
| Asterisk | =1.8.0-rc4 | |
| Asterisk | =1.8.0-rc5 | |
| Asterisk | =1.8.1 | |
| Asterisk | =1.8.1-rc1 | |
| Asterisk | =1.8.1.1 | |
| Asterisk | =1.8.1.2 | |
| Asterisk | =1.8.2 | |
| Asterisk | =1.8.2-rc1 | |
| Asterisk | =1.8.2.1 | |
| Asterisk | =1.8.2.2 | |
| Asterisk | =1.8.2.3 | |
| Asterisk | =1.8.2.4 | |
| Asterisk | =1.8.3 | |
| Asterisk | =1.8.3-rc1 | |
| Asterisk | =1.8.3-rc2 | |
| Asterisk | =1.8.3-rc3 | |
| Asterisk | =1.8.3.1 | |
| Asterisk | =1.8.3.2 | |
| Asterisk | =1.8.3.3 | |
| Asterisk | =1.8.4 | |
| Asterisk | =1.8.4-rc1 | |
| Asterisk | =1.8.4-rc2 | |
| Asterisk | =1.8.4-rc3 | |
| Asterisk | =1.8.4.1 | |
| Asterisk | =1.8.4.2 | |
| Asterisk | =1.8.4.3 | |
| Asterisk | =1.8.4.4 | |
| Asterisk | =1.8.5-rc1 | |
| Asterisk | =1.8.5.0 | |
| Asterisk | =1.8.6.0 | |
| Asterisk | =1.8.6.0-rc1 | |
| Asterisk | =1.8.6.0-rc2 | |
| Asterisk | =1.8.6.0-rc3 | |
| Asterisk | =1.8.7.0 | |
| Asterisk | =1.8.7.0-rc1 | |
| Asterisk | =1.8.7.0-rc2 | |
| Asterisk | =1.8.7.1 | |
| Asterisk | =1.8.7.2 | |
| Asterisk | =1.8.8.0 | |
| Asterisk | =1.8.8.0-rc1 | |
| Asterisk | =1.8.8.0-rc2 | |
| Asterisk | =1.8.8.0-rc3 | |
| Asterisk | =1.8.8.0-rc4 | |
| Asterisk | =1.8.8.0-rc5 | |
| Asterisk | =1.8.8.1 | |
| Asterisk | =1.8.8.2 | |
| Asterisk | =1.8.9.0 | |
| Asterisk | =1.8.9.0-rc1 | |
| Asterisk | =1.8.9.0-rc2 | |
| Asterisk | =1.8.9.0-rc3 | |
| Asterisk | =1.8.9.1 | |
| Asterisk | =1.8.9.2 | |
| Asterisk | =1.8.9.3 | |
| Asterisk | =1.8.10.0 | |
| Asterisk | =1.8.10.0-rc1 | |
| Asterisk | =1.8.10.0-rc2 | |
| Asterisk | =1.8.10.0-rc3 | |
| Asterisk | =1.8.10.0-rc4 | |
| Asterisk | =1.8.10.1 | |
| Asterisk | =1.8.11.0-rc2 | |
| Asterisk | =1.8.11.0-rc3 | |
| Asterisk | =10.0.0 | |
| Asterisk | =10.0.0-beta1 | |
| Asterisk | =10.0.0-beta2 | |
| Asterisk | =10.0.0-rc1 | |
| Asterisk | =10.0.0-rc2 | |
| Asterisk | =10.0.0-rc3 | |
| Asterisk | =10.0.1 | |
| Asterisk | =10.1.0 | |
| Asterisk | =10.1.0-rc1 | |
| Asterisk | =10.1.0-rc2 | |
| Asterisk | =10.1.1 | |
| Asterisk | =10.1.2 | |
| Asterisk | =10.1.3 | |
| Asterisk | =10.2.0 | |
| Asterisk | =10.2.0-rc1 | |
| Asterisk | =10.2.0-rc2 | |
| Asterisk | =10.2.0-rc3 | |
| Asterisk | =10.2.0-rc4 | |
| Asterisk | =10.2.1 | |
| Asterisk | =10.3.0 | |
| Asterisk | =10.3.0-rc2 | |
| Asterisk | =10.3.0-rc3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://downloads.asterisk.org/pub/security/AST-2012-004.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-May/079759.html
- http://osvdb.org/81454
- http://secunia.com/advisories/48891
- http://secunia.com/advisories/48941
- http://www.debian.org/security/2012/dsa-2460
- http://www.securityfocus.com/bid/53206
- http://www.securitytracker.com/id?1026961
- https://exchange.xforce.ibmcloud.com/vulnerabilities/75100
Frequently Asked Questions
What is the severity of CVE-2012-2414?
CVE-2012-2414 is classified as a medium severity vulnerability.
How do I fix CVE-2012-2414?
To fix CVE-2012-2414, upgrade to Asterisk version 1.6.2.24, 1.8.11.1, or 10.3.1 or later.
What type of vulnerability is CVE-2012-2414?
CVE-2012-2414 is an authorization vulnerability in the Manager Interface of Asterisk.
Who is affected by CVE-2012-2414?
CVE-2012-2414 affects Asterisk Open Source versions 1.6.2.x before 1.6.2.24, 1.8.x before 1.8.11.1, and 10.x before 10.3.1.
What impact does CVE-2012-2414 have?
CVE-2012-2414 allows remote authenticated users to bypass authorization checks, which may lead to unauthorized command execution.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/author
- agent/severity
- agent/weakness
- agent/references
- agent/remedy
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/asterisk
- canonical/asterisk
- version/asterisk/1.6.2.0
- version/asterisk/1.6.2.0-rc2
- version/asterisk/1.6.2.0-rc3
- version/asterisk/1.6.2.0-rc4
- version/asterisk/1.6.2.0-rc5
- version/asterisk/1.6.2.0-rc6
- version/asterisk/1.6.2.0-rc7
- version/asterisk/1.6.2.0-rc8
- version/asterisk/1.6.2.1
- version/asterisk/1.6.2.1-rc1
- version/asterisk/1.6.2.2
- version/asterisk/1.6.2.3-rc2
- version/asterisk/1.6.2.4
- version/asterisk/1.6.2.5
- version/asterisk/1.6.2.6
- version/asterisk/1.6.2.6-rc1
- version/asterisk/1.6.2.6-rc2
- version/asterisk/1.6.2.7
- version/asterisk/1.6.2.7-rc1
- version/asterisk/1.6.2.7-rc2
- version/asterisk/1.6.2.7-rc3
- version/asterisk/1.6.2.8
- version/asterisk/1.6.2.8-rc1
- version/asterisk/1.6.2.9
- version/asterisk/1.6.2.9-rc1
- version/asterisk/1.6.2.9-rc2
- version/asterisk/1.6.2.9-rc3
- version/asterisk/1.6.2.10
- version/asterisk/1.6.2.10-rc1
- version/asterisk/1.6.2.10-rc2
- version/asterisk/1.6.2.11
- version/asterisk/1.6.2.11-rc1
- version/asterisk/1.6.2.11-rc2
- version/asterisk/1.6.2.12
- version/asterisk/1.6.2.12-rc1
- version/asterisk/1.6.2.13
- version/asterisk/1.6.2.14
- version/asterisk/1.6.2.14-rc1
- version/asterisk/1.6.2.15
- version/asterisk/1.6.2.15-rc1
- version/asterisk/1.6.2.15.1
- version/asterisk/1.6.2.16
- version/asterisk/1.6.2.16-rc1
- version/asterisk/1.6.2.16.1
- version/asterisk/1.6.2.16.2
- version/asterisk/1.6.2.17
- version/asterisk/1.6.2.17-rc1
- version/asterisk/1.6.2.17-rc2
- version/asterisk/1.6.2.17-rc3
- version/asterisk/1.6.2.17.1
- version/asterisk/1.6.2.17.2
- version/asterisk/1.6.2.17.3
- version/asterisk/1.6.2.18
- version/asterisk/1.6.2.18-rc1
- version/asterisk/1.6.2.18.1
- version/asterisk/1.6.2.18.2
- version/asterisk/1.6.2.19
- version/asterisk/1.6.2.19-rc1
- version/asterisk/1.6.2.20
- version/asterisk/1.6.2.21
- version/asterisk/1.6.2.22
- version/asterisk/1.6.2.23
- version/asterisk/1.8.0
- version/asterisk/1.8.0-beta1
- version/asterisk/1.8.0-beta2
- version/asterisk/1.8.0-beta3
- version/asterisk/1.8.0-beta4
- version/asterisk/1.8.0-beta5
- version/asterisk/1.8.0-rc2
- version/asterisk/1.8.0-rc3
- version/asterisk/1.8.0-rc4
- version/asterisk/1.8.0-rc5
- version/asterisk/1.8.1
- version/asterisk/1.8.1-rc1
- version/asterisk/1.8.1.1
- version/asterisk/1.8.1.2
- version/asterisk/1.8.2
- version/asterisk/1.8.2-rc1
- version/asterisk/1.8.2.1
- version/asterisk/1.8.2.2
- version/asterisk/1.8.2.3
- version/asterisk/1.8.2.4
- version/asterisk/1.8.3
- version/asterisk/1.8.3-rc1
- version/asterisk/1.8.3-rc2
- version/asterisk/1.8.3-rc3
- version/asterisk/1.8.3.1
- version/asterisk/1.8.3.2
- version/asterisk/1.8.3.3
- version/asterisk/1.8.4
- version/asterisk/1.8.4-rc1
- version/asterisk/1.8.4-rc2
- version/asterisk/1.8.4-rc3
- version/asterisk/1.8.4.1
- version/asterisk/1.8.4.2
- version/asterisk/1.8.4.3
- version/asterisk/1.8.4.4
- version/asterisk/1.8.5-rc1
- version/asterisk/1.8.5.0
- version/asterisk/1.8.6.0
- version/asterisk/1.8.6.0-rc1
- version/asterisk/1.8.6.0-rc2
- version/asterisk/1.8.6.0-rc3
- version/asterisk/1.8.7.0
- version/asterisk/1.8.7.0-rc1
- version/asterisk/1.8.7.0-rc2
- version/asterisk/1.8.7.1
- version/asterisk/1.8.7.2
- version/asterisk/1.8.8.0
- version/asterisk/1.8.8.0-rc1
- version/asterisk/1.8.8.0-rc2
- version/asterisk/1.8.8.0-rc3
- version/asterisk/1.8.8.0-rc4
- version/asterisk/1.8.8.0-rc5
- version/asterisk/1.8.8.1
- version/asterisk/1.8.8.2
- version/asterisk/1.8.9.0
- version/asterisk/1.8.9.0-rc1
- version/asterisk/1.8.9.0-rc2
- version/asterisk/1.8.9.0-rc3
- version/asterisk/1.8.9.1
- version/asterisk/1.8.9.2
- version/asterisk/1.8.9.3
- version/asterisk/1.8.10.0
- version/asterisk/1.8.10.0-rc1
- version/asterisk/1.8.10.0-rc2
- version/asterisk/1.8.10.0-rc3
- version/asterisk/1.8.10.0-rc4
- version/asterisk/1.8.10.1
- version/asterisk/1.8.11.0-rc2
- version/asterisk/1.8.11.0-rc3
- version/asterisk/10.0.0
- version/asterisk/10.0.0-beta1
- version/asterisk/10.0.0-beta2
- version/asterisk/10.0.0-rc1
- version/asterisk/10.0.0-rc2
- version/asterisk/10.0.0-rc3
- version/asterisk/10.0.1
- version/asterisk/10.1.0
- version/asterisk/10.1.0-rc1
- version/asterisk/10.1.0-rc2
- version/asterisk/10.1.1
- version/asterisk/10.1.2
- version/asterisk/10.1.3
- version/asterisk/10.2.0
- version/asterisk/10.2.0-rc1
- version/asterisk/10.2.0-rc2
- version/asterisk/10.2.0-rc3
- version/asterisk/10.2.0-rc4
- version/asterisk/10.2.1
- version/asterisk/10.3.0
- version/asterisk/10.3.0-rc2
- version/asterisk/10.3.0-rc3