cbcvebase.
CVE-2023-49294
published 2023-12-14

CVE-2023-49294: Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1, as well as…

PriorityP271high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
45.57%
98.6th percentile
Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, it is possible to read any arbitrary file even when the `live_dangerously` is not enabled. This allows arbitrary files to be read. Asterisk versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, contain a fix for this issue.

Affected

12 ranges
VendorProductVersion rangeFixed in
asteriskasterisk< 18.20.118.20.1
asteriskasterisk< 18.9-cert618.9-cert6
asteriskasterisk
asteriskasterisk
asteriskasterisk>= 0 < 1:16.28.0~dfsg-0+deb11u41:16.28.0~dfsg-0+deb11u4
debianasterisk< asterisk 1:16.28.0~dfsg-0+deb11u4 (bullseye)asterisk 1:16.28.0~dfsg-0+deb11u4 (bullseye)
digiumasterisk< 18.20.118.20.1
digiumasterisk
digiumasterisk>= 19.0.0 < 20.5.120.5.1
sangomacertified_asterisk
sangomacertified_asterisk
sangomacertified_asterisk

Detection & IOCsextracted from sources · hover to see the quote

port5038
commandAction: GetConfig
path../../../../../../../../
path/etc/hosts
  • Monitor Asterisk AMI (port 5038) for GetConfig actions where the Filename field contains path traversal sequences (e.g., '../') pointing outside the Asterisk config directory.
  • Alert on AMI GetConfig requests where the Filename parameter begins with or contains repeated '../' sequences, indicating directory traversal attempts to read arbitrary files.
  • The exploit requires authenticated AMI access; monitor for AMI Login actions followed immediately by GetConfig actions with non-standard (non-.conf) filenames as a behavioral chain indicator.
  • The vulnerability is exploitable even when live_dangerously is not enabled; do not rely on that setting as a compensating control for detection bypass.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vendor_debian4.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.