1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
Candidate: CVE-2012-2414
PublicDate: 2012-04-30
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2414
http://downloads.asterisk.org/pub/security/AST-2012-004.html
Description:
main/manager.c in the Manager Interface in Asterisk Open Source 1.6.2.x
before 1.6.2.24, 1.8.x before 1.8.11.1, and 10.x before 10.3.1 and Asterisk
Business Edition C.3.x before C.3.7.4 does not properly enforce System
class authorization requirements, which allows remote authenticated users
to execute arbitrary commands via (1) the originate action in the
MixMonitor application, (2) the SHELL and EVAL functions in the GetVar
manager action, or (3) the SHELL and EVAL functions in the Status manager
action.
Ubuntu-Description:
Notes:
tyhicks> Affects 1.6.2.x, 1.8.x, 10.x
tyhicks> Attacker must be authenticated into the Asterisk Manager Interface
Bugs:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670180
https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/996162
Priority: low
Discovered-by: David Woolley
Assigned-to:
Patches_asterisk:
upstream_asterisk: released (1:1.8.11.1~dfsg-1)
hardy_asterisk: not-affected (1.4.17~dfsg-2ubuntu1.1)
lucid_asterisk: ignored (reached end-of-life)
natty_asterisk: ignored (reached end-of-life)
oneiric_asterisk: ignored (reached end-of-life)
precise_asterisk: ignored (reached end-of-life)
precise/esm_asterisk: DNE (precise was needed)
quantal_asterisk: not-affected (1:1.8.13.1~dfsg-1ubuntu2)
raring_asterisk: not-affected
saucy_asterisk: not-affected
trusty_asterisk: not-affected
utopic_asterisk: not-affected
vivid_asterisk: not-affected
vivid/stable-phone-overlay_asterisk: DNE
vivid/ubuntu-core_asterisk: DNE
wily_asterisk: not-affected
xenial_asterisk: not-affected
yakkety_asterisk: not-affected
zesty_asterisk: not-affected
devel_asterisk: not-affected
|