CVE-2024-42365
published 2024-08-08CVE-2024-42365: Asterisk is an open source private branch exchange (PBX) and telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk…
PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
4.70%
90.7th percentile
Asterisk is an open source private branch exchange (PBX) and telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with `write=originate` may change all configuration files in the `/etc/asterisk/` directory. This occurs because they are able to curl remote files and write them to disk, but are also able to append to existing files using the `FILE` function inside the `SET` application. This issue may result in privilege escalation, remote code execution and/or blind server-side request forgery with arbitrary protocol. Asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2 contain a fix for this issue.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| asterisk | asterisk | < 18.9-cert11 | 18.9-cert11 |
| asterisk | asterisk | < 18.24.2 | 18.24.2 |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | >= 0 < 1:16.28.0~dfsg-0+deb11u5 | 1:16.28.0~dfsg-0+deb11u5 |
| asterisk | asterisk | >= 19.0.0 < 20.9.1 | 20.9.1 |
| asterisk | certified_asterisk | — | — |
| asterisk | certified_asterisk | — | — |
| asterisk | certified_asterisk | — | — |
| asterisk | certified_asterisk | — | — |
| asterisk | certified_asterisk | — | — |
| debian | asterisk | < asterisk 1:16.28.0~dfsg-0+deb11u5 (bullseye) | asterisk 1:16.28.0~dfsg-0+deb11u5 (bullseye) |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor AMI sessions where the authenticated user has 'write=originate' permission — this permission level alone is sufficient for RCE via dialplan manipulation. ↗
- →Detect use of the FILE() function inside the SET dialplan application over AMI, which can be used to append arbitrary content to existing Asterisk configuration files. ↗
- →Alert on AMI Originate actions that write new dialplan extensions containing System() calls, which enable OS command execution as the asterisk service user. ↗
- →Monitor for outbound curl/HTTP requests initiated by the Asterisk process to remote hosts, which may indicate exploitation of the remote file fetch-and-write primitive. ↗
- →A public Metasploit module exists for this CVE targeting Asterisk AMI; expect exploitation attempts against the default AMI TCP port (5038). ↗
- ·The vulnerability requires valid AMI credentials with 'write=originate' — it is an authenticated exploit, not unauthenticated. Restrict AMI user permissions and audit all accounts holding 'write=originate'. ↗
- ·Affected versions are Asterisk < 18.24.2, < 20.9.2, < 21.4.2 and certified-asterisk < 18.9-cert11 and < 20.7-cert2. Patch to these versions or later to remediate. ↗
- ·The exploit can also be used for blind SSRF with arbitrary protocol (not just HTTP), meaning network egress controls on the Asterisk host are an important compensating control. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian7.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2024-42365: Asterisk is an open source private branch exchange (PBX) and telephony toolkit
osv·2024-08-08·CVSS 8.8
CVE-2024-42365 [HIGH] CVE-2024-42365: Asterisk is an open source private branch exchange (PBX) and telephony toolkit
Asterisk is an open source private branch exchange (PBX) and telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with `write=originate` may change all configuration files in the `/etc/asterisk/` directory. This occurs because they are able to curl remote files and write them to disk, but are also able to append to existing files using the `FILE` function inside the `SET` application. This issue may result in privilege escalation, remote code execution and/or blind server-side request forgery with arbitrary protocol. Asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2 contain a fix for this issue.
Debian
CVE-2024-42365: asterisk - Asterisk is an open source private branch exchange (PBX) and telephony toolkit. ...
vendor_debian·2024·CVSS 7.4
CVE-2024-42365 [HIGH] CVE-2024-42365: asterisk - Asterisk is an open source private branch exchange (PBX) and telephony toolkit. ...
Asterisk is an open source private branch exchange (PBX) and telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with `write=originate` may change all configuration files in the `/etc/asterisk/` directory. This occurs because they are able to curl remote files and write them to disk, but are also able to append to existing files using the `FILE` function inside the `SET` application. This issue may result in privilege escalation, remote code execution and/or blind server-side request forgery with arbitrary protocol. Asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2 contain a fix for this issue.
Scope: local
bullseye: resolved (fixed in 1:16.28
No detection rules found.
Bugzilla
CVE-2024-42365 asterisk: Write=originate, is sufficient permissions for code execution / System() dialplan [fedora-all]
bugzilla·2024-08-10·CVSS 7.4
CVE-2024-42365 [HIGH] CVE-2024-42365 asterisk: Write=originate, is sufficient permissions for code execution / System() dialplan [fedora-all]
CVE-2024-42365 asterisk: Write=originate, is sufficient permissions for code execution / System() dialplan [fedora-all]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2303740
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 40 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 40 on 2025-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains
Bugzilla
CVE-2024-42365 asterisk: Write=originate, is sufficient permissions for code execution / System() dialplan [epel-all]
bugzilla·2024-08-10·CVSS 7.4
CVE-2024-42365 [HIGH] CVE-2024-42365 asterisk: Write=originate, is sufficient permissions for code execution / System() dialplan [epel-all]
CVE-2024-42365 asterisk: Write=originate, is sufficient permissions for code execution / System() dialplan [epel-all]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2303740
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
The issue (CVE-2024-42365) is addressed in Asterisk version 18.24.2. The fix is now available via the asterisk-18.26.4 update for EPEL 8 and EPEL 9.
---
FEDORA-EPEL-2026-f2281acb03 (asterisk-18.26.4-1.el8) has been submitted as an update to Fedora EPEL 8.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-20
https://github.com/asterisk/asterisk/blob/14367caaf7241df1eceea7c45c5b261989c2c6db/main/manager.c#L6426https://github.com/asterisk/asterisk/blob/7d28165cb1b2d02d66e8693bd3fe23ee72fc55d8/main/manager.c#L6426https://github.com/asterisk/asterisk/commit/42a2f4ccfa2c7062a15063e765916b3332e34cc4https://github.com/asterisk/asterisk/commit/7a0090325bfa9d778a39ae5f7d0a98109e4651c8https://github.com/asterisk/asterisk/commit/b4063bf756272254b160b6d1bd6e9a3f8e16cc71https://github.com/asterisk/asterisk/commit/bbe68db10ab8a80c29db383e4dfe14f6eafaf993https://github.com/asterisk/asterisk/commit/faddd99f2b9408b524e5eb8a01589fe1fa282df2https://github.com/asterisk/asterisk/security/advisories/GHSA-c4cg-9275-6w44https://lists.debian.org/debian-lts-announce/2024/10/msg00016.html
2024-08-08
Published