CVE-2019-18610 — Missing Authorization in Asterisk

CWE-862 — Missing Authorization8 documents6 sources

Severity

8.8HIGHNVD

EPSS

41.9%

top 2.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Digium Asterisk Debian Asterisk Debian Linux +1 more

Timeline

PublishedNov 22

Latest updateMay 24

Description

An issue was discovered in manager.c in Sangoma Asterisk through 13.x, 16.x, 17.x and Certified Asterisk 13.21 through 13.21-cert4. A remote authenticated Asterisk Manager Interface (AMI) user without system authorization could use a specially crafted Originate AMI request to execute arbitrary system commands.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶NVDdigium/certified_asterisk13.21.0

▶NVDdigium/asterisk13.0.0 — 13.29.2+2

▶debiandebian/asterisk< asterisk 1:16.10.0~dfsg-1 (bullseye)

▶Debiandigium/asterisk< 1:16.10.0~dfsg-1

Also affects: Debian Linux 8.0, 9.0

Patches

Patch: downloads.asterisk.org ↗Patch: downloads.asterisk.org ↗

🔴Vulnerability Details

GHSA

GHSA-4mx6-qmp8-735w: An issue was discovered in manager↗2022-05-24

▶

OSV

CVE-2019-18610: An issue was discovered in manager↗2019-11-22

▶

🔍Detection Rules

Suricata

ET EXPLOIT Sangoma Asterisk Originate AMI RCE (CVE-2019-18610) (PoC Based)↗2022-01-28

▶

📋Vendor Advisories

Debian

CVE-2019-18610: asterisk - An issue was discovered in manager.c in Sangoma Asterisk through 13.x, 16.x, 17....↗2019

▶

💬Community

Bugzilla

CVE-2019-18610 asterisk: remote AMI user can execute arbitrary system commands using specially crafted Originate AMI request↗2020-02-11

▶

Bugzilla

CVE-2019-18610 asterisk: remote AMI user can execute arbitrary system commands using specially crafted Originate AMI request [fedora-all]↗2020-02-11

▶

Bugzilla

CVE-2019-18610 asterisk: remote AMI user can execute arbitrary system commands using specially crafted Originate AMI request [epel-6]↗2020-02-11

▶