[AsteriskBrasil] Fwd: [asterisk-dev] AST-2013-007: Asterisk Manager User Dialplan Permission Escalation

Sylvio Jollenbeck sylvio.jollenbeck em gmail.com
Segunda Dezembro 16 21:20:50 BRST 2013


PSC

---------- Forwarded message ----------
From: Asterisk Security Team <security em asterisk.org>
Date: 2013/12/16
Subject: [asterisk-dev] AST-2013-007: Asterisk Manager User Dialplan
Permission Escalation
To: asterisk-dev em lists.digium.com


               Asterisk Project Security Advisory - AST-2013-007

         Product        Asterisk
         Summary        Asterisk Manager User Dialplan Permission Escalation
    Nature of Advisory  Permission Escalation
      Susceptibility    Remote Authenticated Sessions
         Severity       Minor
      Exploits Known    None
       Reported On      November 25, 2013
       Reported By      Matt Jordan
        Posted On       December 16, 2013
     Last Updated On    December 16, 2013
     Advisory Contact   David Lee < dlee AT digium DOT com >
         CVE Name       Pending

    Description  External control protocols, such as the Asterisk Manager
                 Interface, often have the ability to get and set channel
                 variables; this allows the execution of dialplan functions.

                 Dialplan functions within Asterisk are incredibly powerful,
                 which is wonderful

                 for building applications using Asterisk. But during the
                 read or write execution, certain diaplan functions do much
                 more. For example, reading the SHELL() function can execute
                 arbitrary commands on the system Asterisk is running on.
                 Writing to the FILE() function can change any file that
                 Asterisk has write access to.

                 When these functions are executed from an external
                 protocol, that execution could result in a privilege
                 escalation.

    Resolution  Asterisk can now inhibit the execution of these functions
                from external interfaces such as AMI, if live_dangerously in
                the [options] section of asterisk.conf is set to no.

                For backwards compatibility, live_dangerously defaults to
                yes, and must be explicitly set to no to enable this
                privilege escalation protection.

                               Affected Versions
                Product                 Release Series
         Asterisk Open Source                1.8.x          All Versions
         Asterisk Open Source                10.x           All Versions
      Asterisk with Digiumphones       10.x-digiumphones    All Versions
         Asterisk Open Source                11.x           All Versions
          Certified Asterisk                 1.8.x          All Versions
          Certified Asterisk                 11.x           All Versions

                                  Corrected In
                  Product                              Release
            Asterisk Open Source              1.8.24.1, 10.12.4, 11.6.1
         Asterisk with Digiumphones              10.12.4-digiumphones
             Certified Asterisk                1.8.15-cert4, 11.2-cert3

                                          Patches
                                  SVN URL
    Revision
http://downloads.asterisk.org/pub/security/AST-2013-007-1.8.diff
  Asterisk 1.8
http://downloads.asterisk.org/pub/security/AST-2013-007-10.diff
 Asterisk 10
http://downloads.asterisk.org/pub/security/AST-2013-007-10-digiumphones.diffAsterisk

 10-digiumphones
http://downloads.asterisk.org/pub/security/AST-2013-007-11.diff
 Asterisk 11
http://downloads.asterisk.org/pub/security/AST-2013-007-1.8.15.diff
 Certified

 Asterisk 1.8.15
http://downloads.asterisk.org/pub/security/AST-2013-007-11.2.diff
 Certified

 Asterisk 11.2

       Links     https://issues.asterisk.org/jira/browse/ASTERISK-22905

    Asterisk Project Security Advisories are posted at
    http://www.asterisk.org/security

    This document may be superseded by later versions; if so, the latest
    version will be posted at
    http://downloads.digium.com/pub/security/AST-2013-007.pdf and
    http://downloads.digium.com/pub/security/AST-2013-007.html

                                Revision History
          Date                 Editor                  Revisions Made
    12/16/2013         Matt Jordan              Initial Revision

               Asterisk Project Security Advisory - AST-2013-007
              Copyright (c) 2013 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in
its
                           original, unaltered form.


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev



-- 
Sylvio Jollenbeck
www.hosannatecnologia.com.br
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.asteriskbrasil.org/pipermail/asteriskbrasil/attachments/20131216/7faadfed/attachment-0001.htm 


Mais detalhes sobre a lista de discussão AsteriskBrasil