cbcvebase.
CVE-2017-14100
published 2017-09-02

CVE-2017-14100: In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5…

PriorityP260critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
14.91%
96.3th percentile
In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized command execution is possible. The app_minivm module has an "externnotify" program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection.

Affected

105 ranges· showing 25
VendorProductVersion rangeFixed in
debianasterisk< asterisk 1:13.17.1~dfsg-1 (bullseye)asterisk 1:13.17.1~dfsg-1 (bullseye)
digiumasterisk
digiumasterisk
digiumasterisk
digiumasterisk
digiumasterisk
digiumasterisk
digiumasterisk
digiumasterisk
digiumasterisk
digiumasterisk
digiumasterisk
digiumasterisk
digiumasterisk
digiumasterisk
digiumasterisk
digiumasterisk
digiumasterisk
digiumasterisk
digiumasterisk
digiumasterisk
digiumasterisk
digiumasterisk
digiumasterisk
digiumasterisk

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://downloads.asterisk.org/pub/security/AST-2017-006.html
urlhttps://issues.asterisk.org/jira/browse/ASTERISK-27103
  • Monitor for shell command injection via crafted caller-id name or number fields in Asterisk MinivmNotify dialplan application calls. Attacker-controlled caller-id data is passed unsanitized to the OS shell via the 'externnotify' program configuration option in app_minivm.
  • Audit Asterisk minivm.conf for the presence of the 'externnotify' configuration option; its use in vulnerable versions (Asterisk 11.x < 11.25.2, 13.x < 13.17.1, 14.x < 14.6.1, Certified Asterisk 11.x < 11.6-cert17, 13.x < 13.13-cert5) exposes the system to OS command injection via caller-id fields.
  • Alert on unexpected child processes spawned by the Asterisk process (e.g., sh, bash, or other shells) as a result of MinivmNotify execution, which may indicate successful exploitation of the externnotify shell injection.
  • ·The vulnerability is only exploitable if the 'externnotify' option is configured in the app_minivm module (minivm.conf). Systems not using this configuration option are not affected.
  • ·The attack surface is limited to the MinivmNotify dialplan application; only deployments actively using this dialplan application with externnotify configured are at risk.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.