CVE-2024-42365: Asterisk allows `Write=originate` as sufficient permissions for code execution / `System()` dialplan
First published: Thu Aug 08 2024(Updated: )
Asterisk is an open source private branch exchange (PBX) and telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with `write=originate` may change all configuration files in the `/etc/asterisk/` directory. This occurs because they are able to curl remote files and write them to disk, but are also able to append to existing files using the `FILE` function inside the `SET` application. This issue may result in privilege escalation, remote code execution and/or blind server-side request forgery with arbitrary protocol. Asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2 contain a fix for this issue.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Asterisk Asterisk | <18.24.2 | |
| Asterisk Asterisk | >=19.0.0<20.9.1 | |
| Asterisk Asterisk | =21.4.0 | |
| Asterisk Certified Asterisk | =13.13.0 | |
| Asterisk Certified Asterisk | =13.13.0-cert1 | |
| Asterisk Certified Asterisk | =13.13.0-cert1-rc1 | |
| Asterisk Certified Asterisk | =13.13.0-cert1-rc2 | |
| Asterisk Certified Asterisk | =13.13.0-cert1-rc3 | |
| Asterisk Certified Asterisk | =13.13.0-cert1-rc4 | |
| Asterisk Certified Asterisk | =13.13.0-cert2 | |
| Asterisk Certified Asterisk | =13.13.0-cert3 | |
| Asterisk Certified Asterisk | =13.13.0-rc1 | |
| Asterisk Certified Asterisk | =13.13.0-rc2 | |
| Asterisk Certified Asterisk | =16.8-cert1-rc1 | |
| Asterisk Certified Asterisk | =16.8-cert1-rc2 | |
| Asterisk Certified Asterisk | =16.8-cert1-rc3 | |
| Asterisk Certified Asterisk | =16.8-cert1-rc4 | |
| Asterisk Certified Asterisk | =16.8-cert1-rc5 | |
| Asterisk Certified Asterisk | =16.8-cert10 | |
| Asterisk Certified Asterisk | =16.8-cert11 | |
| Asterisk Certified Asterisk | =16.8-cert12 | |
| Asterisk Certified Asterisk | =16.8-cert13 | |
| Asterisk Certified Asterisk | =16.8-cert14 | |
| Asterisk Certified Asterisk | =16.8-cert4-rc1 | |
| Asterisk Certified Asterisk | =16.8-cert4-rc2 | |
| Asterisk Certified Asterisk | =16.8-cert4-rc3 | |
| Asterisk Certified Asterisk | =16.8-cert4-rc4 | |
| Asterisk Certified Asterisk | =16.8.0 | |
| Asterisk Certified Asterisk | =16.8.0-cert1 | |
| Asterisk Certified Asterisk | =16.8.0-cert10 | |
| Asterisk Certified Asterisk | =16.8.0-cert11 | |
| Asterisk Certified Asterisk | =16.8.0-cert12 | |
| Asterisk Certified Asterisk | =16.8.0-cert2 | |
| Asterisk Certified Asterisk | =16.8.0-cert3 | |
| Asterisk Certified Asterisk | =16.8.0-cert4 | |
| Asterisk Certified Asterisk | =16.8.0-cert5 | |
| Asterisk Certified Asterisk | =16.8.0-cert6 | |
| Asterisk Certified Asterisk | =16.8.0-cert7 | |
| Asterisk Certified Asterisk | =16.8.0-cert8 | |
| Asterisk Certified Asterisk | =16.8.0-cert9 | |
| Asterisk Certified Asterisk | =18.9-cert1 | |
| Asterisk Certified Asterisk | =18.9-cert1-rc1 | |
| Asterisk Certified Asterisk | =18.9-cert10 | |
| Asterisk Certified Asterisk | =18.9-cert2 | |
| Asterisk Certified Asterisk | =18.9-cert3 | |
| Asterisk Certified Asterisk | =18.9-cert4 | |
| Asterisk Certified Asterisk | =18.9-cert5 | |
| Asterisk Certified Asterisk | =18.9-cert6 | |
| Asterisk Certified Asterisk | =18.9-cert7 | |
| Asterisk Certified Asterisk | =18.9-cert8 | |
| Asterisk Certified Asterisk | =18.9-cert8-rc1 | |
| Asterisk Certified Asterisk | =18.9-cert8-rc2 | |
| Asterisk Certified Asterisk | =18.9-cert9 | |
| Asterisk Certified Asterisk | =20.7-cert1 | |
| Asterisk Certified Asterisk | =20.7-cert1-rc1 | |
| Asterisk Certified Asterisk | =20.7-cert1-rc2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/asterisk/asterisk/security/advisories/GHSA-c4cg-9275-6w44
- https://github.com/asterisk/asterisk/commit/42a2f4ccfa2c7062a15063e765916b3332e34cc4
- https://github.com/asterisk/asterisk/commit/7a0090325bfa9d778a39ae5f7d0a98109e4651c8
- https://github.com/asterisk/asterisk/commit/b4063bf756272254b160b6d1bd6e9a3f8e16cc71
- https://github.com/asterisk/asterisk/commit/bbe68db10ab8a80c29db383e4dfe14f6eafaf993
- https://github.com/asterisk/asterisk/commit/faddd99f2b9408b524e5eb8a01589fe1fa282df2
- https://github.com/asterisk/asterisk/blob/14367caaf7241df1eceea7c45c5b261989c2c6db/main/manager.c#L6426
- https://github.com/asterisk/asterisk/blob/7d28165cb1b2d02d66e8693bd3fe23ee72fc55d8/main/manager.c#L6426
- agent/weakness
- agent/title
- agent/references
- agent/description
- agent/first-publish-date
- agent/type
- agent/author
- agent/event
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/remedy
- agent/severity
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- vendor/asterisk
- canonical/asterisk asterisk
- version/asterisk asterisk/19.0.0
- version/asterisk asterisk/21.4.0
- canonical/asterisk certified asterisk
- version/asterisk certified asterisk/13.13.0
- version/asterisk certified asterisk/13.13.0-cert1
- version/asterisk certified asterisk/13.13.0-cert1-rc1
- version/asterisk certified asterisk/13.13.0-cert1-rc2
- version/asterisk certified asterisk/13.13.0-cert1-rc3
- version/asterisk certified asterisk/13.13.0-cert1-rc4
- version/asterisk certified asterisk/13.13.0-cert2
- version/asterisk certified asterisk/13.13.0-cert3
- version/asterisk certified asterisk/13.13.0-rc1
- version/asterisk certified asterisk/13.13.0-rc2
- version/asterisk certified asterisk/16.8-cert1-rc1
- version/asterisk certified asterisk/16.8-cert1-rc2
- version/asterisk certified asterisk/16.8-cert1-rc3
- version/asterisk certified asterisk/16.8-cert1-rc4
- version/asterisk certified asterisk/16.8-cert1-rc5
- version/asterisk certified asterisk/16.8-cert10
- version/asterisk certified asterisk/16.8-cert11
- version/asterisk certified asterisk/16.8-cert12
- version/asterisk certified asterisk/16.8-cert13
- version/asterisk certified asterisk/16.8-cert14
- version/asterisk certified asterisk/16.8-cert4-rc1
- version/asterisk certified asterisk/16.8-cert4-rc2
- version/asterisk certified asterisk/16.8-cert4-rc3
- version/asterisk certified asterisk/16.8-cert4-rc4
- version/asterisk certified asterisk/16.8.0
- version/asterisk certified asterisk/16.8.0-cert1
- version/asterisk certified asterisk/16.8.0-cert10
- version/asterisk certified asterisk/16.8.0-cert11
- version/asterisk certified asterisk/16.8.0-cert12
- version/asterisk certified asterisk/16.8.0-cert2
- version/asterisk certified asterisk/16.8.0-cert3
- version/asterisk certified asterisk/16.8.0-cert4
- version/asterisk certified asterisk/16.8.0-cert5
- version/asterisk certified asterisk/16.8.0-cert6
- version/asterisk certified asterisk/16.8.0-cert7
- version/asterisk certified asterisk/16.8.0-cert8
- version/asterisk certified asterisk/16.8.0-cert9
- version/asterisk certified asterisk/18.9-cert1
- version/asterisk certified asterisk/18.9-cert1-rc1
- version/asterisk certified asterisk/18.9-cert10
- version/asterisk certified asterisk/18.9-cert2
- version/asterisk certified asterisk/18.9-cert3
- version/asterisk certified asterisk/18.9-cert4
- version/asterisk certified asterisk/18.9-cert5
- version/asterisk certified asterisk/18.9-cert6
- version/asterisk certified asterisk/18.9-cert7
- version/asterisk certified asterisk/18.9-cert8
- version/asterisk certified asterisk/18.9-cert8-rc1
- version/asterisk certified asterisk/18.9-cert8-rc2
- version/asterisk certified asterisk/18.9-cert9
- version/asterisk certified asterisk/20.7-cert1
- version/asterisk certified asterisk/20.7-cert1-rc1
- version/asterisk certified asterisk/20.7-cert1-rc2