CVE-2024-42365

Asterisk allows `Write=originate` as sufficient permissions for code execution / `System()` dialplan

CVSS 7.4 HIGHEPSS 4.7%CWE-1220 CWE-267

In short

Asterisk PBX allows users with basic 'originate' permission to modify configuration files and execute arbitrary code by manipulating dial plans and file operations, creating a serious security risk.

Technical detail

An authenticated AMI user with write=originate permission can leverage the FILE function within the SET application to append malicious content to Asterisk configuration files in /etc/asterisk/, and curl remote files to disk, enabling arbitrary code execution through dialplan manipulation (CWE-1220, CWE-267). This bypasses intended permission controls and requires only AMI access with limited originate privileges.

Summary generated and translated by AI from the official description.

Asterisk is an open source private branch exchange (PBX) and telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with `write=originate` may change all configuration files in the `/etc/asterisk/` directory. This occurs because they are able to curl remote files and write them to disk, but are also able to append to existing files using the `FILE` function inside the `SET` application. This issue may result in privilege escalation, remote code execution and/or blind server-side request forgery with arbitrary protocol. Asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2 contain a fix for this issue.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Affected products

asterisk · asterisk

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References