cbcvebase.
CVE-2024-42365
published 2024-08-08

CVE-2024-42365: Asterisk is an open source private branch exchange (PBX) and telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk…

PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
4.70%
90.7th percentile
Asterisk is an open source private branch exchange (PBX) and telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with `write=originate` may change all configuration files in the `/etc/asterisk/` directory. This occurs because they are able to curl remote files and write them to disk, but are also able to append to existing files using the `FILE` function inside the `SET` application. This issue may result in privilege escalation, remote code execution and/or blind server-side request forgery with arbitrary protocol. Asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2 contain a fix for this issue.

Affected

14 ranges
VendorProductVersion rangeFixed in
asteriskasterisk< 18.9-cert1118.9-cert11
asteriskasterisk< 18.24.218.24.2
asteriskasterisk
asteriskasterisk
asteriskasterisk
asteriskasterisk
asteriskasterisk>= 0 < 1:16.28.0~dfsg-0+deb11u51:16.28.0~dfsg-0+deb11u5
asteriskasterisk>= 19.0.0 < 20.9.120.9.1
asteriskcertified_asterisk
asteriskcertified_asterisk
asteriskcertified_asterisk
asteriskcertified_asterisk
asteriskcertified_asterisk
debianasterisk< asterisk 1:16.28.0~dfsg-0+deb11u5 (bullseye)asterisk 1:16.28.0~dfsg-0+deb11u5 (bullseye)

Detection & IOCsextracted from sources · hover to see the quote

path/etc/asterisk/
  • Monitor AMI sessions where the authenticated user has 'write=originate' permission — this permission level alone is sufficient for RCE via dialplan manipulation.
  • Detect use of the FILE() function inside the SET dialplan application over AMI, which can be used to append arbitrary content to existing Asterisk configuration files.
  • Alert on AMI Originate actions that write new dialplan extensions containing System() calls, which enable OS command execution as the asterisk service user.
  • Monitor for outbound curl/HTTP requests initiated by the Asterisk process to remote hosts, which may indicate exploitation of the remote file fetch-and-write primitive.
  • A public Metasploit module exists for this CVE targeting Asterisk AMI; expect exploitation attempts against the default AMI TCP port (5038).
  • ·The vulnerability requires valid AMI credentials with 'write=originate' — it is an authenticated exploit, not unauthenticated. Restrict AMI user permissions and audit all accounts holding 'write=originate'.
  • ·Affected versions are Asterisk < 18.24.2, < 20.9.2, < 21.4.2 and certified-asterisk < 18.9-cert11 and < 20.7-cert2. Patch to these versions or later to remediate.
  • ·The exploit can also be used for blind SSRF with arbitrary protocol (not just HTTP), meaning network egress controls on the Asterisk host are an important compensating control.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian7.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.