CVE-2017-14001
published 2017-09-26CVE-2017-14001: An Improper Neutralization of Special Elements used in an OS Command issue was discovered in Digium Asterisk GUI 2.1.0 and prior. An OS command injection…
PriorityP261high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
6.45%
92.9th percentile
An Improper Neutralization of Special Elements used in an OS Command issue was discovered in Digium Asterisk GUI 2.1.0 and prior. An OS command injection vulnerability has been identified that may allow the execution of arbitrary code on the system through the inclusion of OS commands in the URL request of the program.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| digium | asterisk_gui | <= 2.1.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →OS command injection is delivered via the URL request of the Digium Asterisk GUI program; monitor HTTP requests to Asterisk GUI endpoints for embedded OS command metacharacters (e.g., ;, |, &&, $()) in URL parameters. ↗
- →Exploitation requires an authenticated (low-privilege) remote attacker; monitor for authenticated sessions followed by anomalous URL requests or unexpected process spawning from the Asterisk GUI service. ↗
- →Affected product is Asterisk GUI version 2.1.0 and prior; identify and flag any internet-exposed instances of this software version for priority investigation. ↗
- ·No known public exploits specifically target this vulnerability at the time of advisory publication; threat may be lower but should not be dismissed given CVSS v3 score of 8.8. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Digium Asterisk GUI
cisa_ics·2017-09-21
Digium Asterisk GUI
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Digium Asterisk GUI
Last RevisedSeptember 21, 2017
Alert CodeICSA-17-264-03
## CVSS v3 8.8
ATTENTION: Remotely exploitable/low skill level to exploit.
Vendor: Digium
Equipment: Asterisk GUI
Vulnerability: Improper Neutralization of Special Elements used in an OS Command
## AFFECTED PRODUCTS
The following versions of Asterisk GUI, a framework for configuring graphical user interfaces, are affected:
- Asterisk GUI 2.1.0 and prior
## IMPACT
Successful exploitation of this vulnerability could cause an authenticated attacker to execute arbitrary code on the device.
## MITIGA
GHSA
GHSA-6j77-p2p8-fv4q: An Improper Neutralization of Special Elements used in an OS Command issue was discovered in Digium Asterisk GUI 2
ghsa_unreviewed·2022-05-13
CVE-2017-14001 [HIGH] CWE-78 GHSA-6j77-p2p8-fv4q: An Improper Neutralization of Special Elements used in an OS Command issue was discovered in Digium Asterisk GUI 2
An Improper Neutralization of Special Elements used in an OS Command issue was discovered in Digium Asterisk GUI 2.1.0 and prior. An OS command injection vulnerability has been identified that may allow the execution of arbitrary code on the system through the inclusion of OS commands in the URL request of the program.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2017-09-26
Published