Vulnerabilities > CVE-2012-2186 - Unspecified vulnerability in Asterisk products
Attack vector
NETWORK Attack complexity
LOW Privileges required
SINGLE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Incomplete blacklist vulnerability in main/manager.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert6, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 allows remote authenticated users to execute arbitrary commands by leveraging originate privileges and providing an ExternalIVR value in an AMI Originate action.
Vulnerable Configurations
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2012-13338.NASL description fix build on s390 The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are released as versions 1.8.11-cert7, 1.8.15.1, 10.7.1, and 10.7.1-digiumphones. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The release of Asterisk 1.8.11-cert7, 1.8.15.1, 10.7.1, and 10.7.1-digiumphones resolve the following two issues : - A permission escalation vulnerability in Asterisk Manager Interface. This would potentially allow remote authenticated users the ability to execute commands on the system shell with the privileges of the user running the Asterisk application. Please note that the README-SERIOUSLY.bestpractices.txt file delivered with Asterisk has been updated due to this and other related vulnerabilities fixed in previous versions of Asterisk. - When an IAX2 call is made using the credentials of a peer defined in a dynamic Asterisk Realtime Architecture (ARA) backend, the ACL rules for that peer are not applied to the call attempt. This allows for a remote attacker who is aware of a peer last seen 2020-03-17 modified 2012-09-18 plugin id 62149 published 2012-09-18 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62149 title Fedora 17 : asterisk-10.7.1-2.fc17 (2012-13338) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2012-13338. # include("compat.inc"); if (description) { script_id(62149); script_version("1.14"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2012-2186"); script_bugtraq_id(55351); script_xref(name:"FEDORA", value:"2012-13338"); script_name(english:"Fedora 17 : asterisk-10.7.1-2.fc17 (2012-13338)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "fix build on s390 The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are released as versions 1.8.11-cert7, 1.8.15.1, 10.7.1, and 10.7.1-digiumphones. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The release of Asterisk 1.8.11-cert7, 1.8.15.1, 10.7.1, and 10.7.1-digiumphones resolve the following two issues : - A permission escalation vulnerability in Asterisk Manager Interface. This would potentially allow remote authenticated users the ability to execute commands on the system shell with the privileges of the user running the Asterisk application. Please note that the README-SERIOUSLY.bestpractices.txt file delivered with Asterisk has been updated due to this and other related vulnerabilities fixed in previous versions of Asterisk. - When an IAX2 call is made using the credentials of a peer defined in a dynamic Asterisk Realtime Architecture (ARA) backend, the ACL rules for that peer are not applied to the call attempt. This allows for a remote attacker who is aware of a peer's credentials to bypass the ACL rules set for that peer. These issues and their resolutions are described in the security advisories. For more information about the details of these vulnerabilities, please read security advisories AST-2012-012 and AST-2012-013, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLogs : http://downloads.asterisk.org/pub/telephony/certified-asterisk/release s/ChangeLog-1.8.11-cert7 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-1.8.15.1 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-10.7.1 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-10.7.1-digiumphones The security advisories are available at : - http://downloads.asterisk.org/pub/security/AST-2012-012. pdf - http://downloads.asterisk.org/pub/security/AST-2012-01 3.pdf Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"http://downloads.asterisk.org/pub/security/AST-2012-012.pdf" ); script_set_attribute( attribute:"see_also", value:"http://downloads.asterisk.org/pub/security/AST-2012-013.pdf" ); # http://downloads.asterisk.org/pub/telephony/asterisk/releases script_set_attribute( attribute:"see_also", value:"http://downloads.asterisk.org/pub/telephony/asterisk/releases/" ); # http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.15.1 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?956de3ad" ); # http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.7.1 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?76287dad" ); # http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.7.1-digiumphones script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?9bf6a6b4" ); # http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.11-cert7 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?31164e5a" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=853541" ); # https://lists.fedoraproject.org/pipermail/package-announce/2012-September/086324.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?3345f479" ); script_set_attribute( attribute:"solution", value:"Update the affected asterisk package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:asterisk"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:17"); script_set_attribute(attribute:"patch_publication_date", value:"2012/09/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^17([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 17.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC17", reference:"asterisk-10.7.1-2.fc17")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "asterisk"); }NASL family Fedora Local Security Checks NASL id FEDORA_2012-13437.NASL description The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are released as versions 1.8.11-cert7, 1.8.15.1, 10.7.1, and 10.7.1-digiumphones. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The release of Asterisk 1.8.11-cert7, 1.8.15.1, 10.7.1, and 10.7.1-digiumphones resolve the following two issues : - A permission escalation vulnerability in Asterisk Manager Interface. This would potentially allow remote authenticated users the ability to execute commands on the system shell with the privileges of the user running the Asterisk application. Please note that the README-SERIOUSLY.bestpractices.txt file delivered with Asterisk has been updated due to this and other related vulnerabilities fixed in previous versions of Asterisk. - When an IAX2 call is made using the credentials of a peer defined in a dynamic Asterisk Realtime Architecture (ARA) backend, the ACL rules for that peer are not applied to the call attempt. This allows for a remote attacker who is aware of a peer last seen 2020-03-17 modified 2012-09-18 plugin id 62154 published 2012-09-18 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62154 title Fedora 16 : asterisk-1.8.15.1-1.fc16 (2012-13437) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2012-13437. # include("compat.inc"); if (description) { script_id(62154); script_version("1.14"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2012-2186"); script_bugtraq_id(55351); script_xref(name:"FEDORA", value:"2012-13437"); script_name(english:"Fedora 16 : asterisk-1.8.15.1-1.fc16 (2012-13437)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are released as versions 1.8.11-cert7, 1.8.15.1, 10.7.1, and 10.7.1-digiumphones. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The release of Asterisk 1.8.11-cert7, 1.8.15.1, 10.7.1, and 10.7.1-digiumphones resolve the following two issues : - A permission escalation vulnerability in Asterisk Manager Interface. This would potentially allow remote authenticated users the ability to execute commands on the system shell with the privileges of the user running the Asterisk application. Please note that the README-SERIOUSLY.bestpractices.txt file delivered with Asterisk has been updated due to this and other related vulnerabilities fixed in previous versions of Asterisk. - When an IAX2 call is made using the credentials of a peer defined in a dynamic Asterisk Realtime Architecture (ARA) backend, the ACL rules for that peer are not applied to the call attempt. This allows for a remote attacker who is aware of a peer's credentials to bypass the ACL rules set for that peer. These issues and their resolutions are described in the security advisories. For more information about the details of these vulnerabilities, please read security advisories AST-2012-012 and AST-2012-013, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLogs : http://downloads.asterisk.org/pub/telephony/certified-asterisk/release s/ChangeLog-1.8.11-cert7 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-1.8.15.1 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-10.7.1 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-10.7.1-digiumphones The security advisories are available at : - http://downloads.asterisk.org/pub/security/AST-2012-012. pdf - http://downloads.asterisk.org/pub/security/AST-2012-01 3.pdf Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"http://downloads.asterisk.org/pub/security/AST-2012-012.pdf" ); script_set_attribute( attribute:"see_also", value:"http://downloads.asterisk.org/pub/security/AST-2012-013.pdf" ); # http://downloads.asterisk.org/pub/telephony/asterisk/releases script_set_attribute( attribute:"see_also", value:"http://downloads.asterisk.org/pub/telephony/asterisk/releases/" ); # http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.15.1 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?956de3ad" ); # http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.7.1 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?76287dad" ); # http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.7.1-digiumphones script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?9bf6a6b4" ); # http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.11-cert7 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?31164e5a" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=853541" ); # https://lists.fedoraproject.org/pipermail/package-announce/2012-September/086282.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?dac32fd1" ); script_set_attribute( attribute:"solution", value:"Update the affected asterisk package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:asterisk"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:16"); script_set_attribute(attribute:"patch_publication_date", value:"2012/09/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^16([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 16.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC16", reference:"asterisk-1.8.15.1-1.fc16")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "asterisk"); }NASL family Fedora Local Security Checks NASL id FEDORA_2012-13286.NASL description fix build on s390 The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are released as versions 1.8.11-cert7, 1.8.15.1, 10.7.1, and 10.7.1-digiumphones. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The release of Asterisk 1.8.11-cert7, 1.8.15.1, 10.7.1, and 10.7.1-digiumphones resolve the following two issues : - A permission escalation vulnerability in Asterisk Manager Interface. This would potentially allow remote authenticated users the ability to execute commands on the system shell with the privileges of the user running the Asterisk application. Please note that the README-SERIOUSLY.bestpractices.txt file delivered with Asterisk has been updated due to this and other related vulnerabilities fixed in previous versions of Asterisk. - When an IAX2 call is made using the credentials of a peer defined in a dynamic Asterisk Realtime Architecture (ARA) backend, the ACL rules for that peer are not applied to the call attempt. This allows for a remote attacker who is aware of a peer last seen 2020-03-17 modified 2012-09-18 plugin id 62148 published 2012-09-18 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62148 title Fedora 18 : asterisk-10.7.1-2.fc18 (2012-13286) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_4C53F007F2ED11E1A21514DAE9EBCF89.NASL description Asterisk project reports : Asterisk Manager User Unauthorized Shell Access ACL rules ignored when placing outbound calls by certain IAX2 users last seen 2020-06-01 modified 2020-06-02 plugin id 61742 published 2012-08-31 reporter This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61742 title FreeBSD : asterisk -- multiple vulnerabilities (4c53f007-f2ed-11e1-a215-14dae9ebcf89) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201209-15.NASL description The remote host is affected by the vulnerability described in GLSA-201209-15 (Asterisk: Multiple vulnerabilities) Multiple vulnerabilities have been found in Asterisk: An error in manager.c allows shell access (CVE-2012-2186). An error in Asterisk could cause all RTP ports to be exhausted (CVE-2012-3812). A double-free error could occur when two parties attempt to manipulate the same voicemail account simultaneously (CVE-2012-3863). Asterisk does not properly implement certain ACL rules (CVE-2012-4737). Impact : A remote, authenticated attacker could execute arbitrary code with the privileges of the process, cause a Denial of Service condition, or bypass outbound call restrictions. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 62344 published 2012-09-27 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62344 title GLSA-201209-15 : Asterisk: Multiple vulnerabilities NASL family Misc. NASL id ASTERISK_AST_2012_012.NASL description According to the version in its SIP banner, the version of Asterisk running on the remote host is potentially affected by a vulnerability that could allow a remote, authenticated attacker to bypass access controls, execute shell commands and escalate privileges. Applications and functions that require last seen 2020-06-01 modified 2020-06-02 plugin id 61993 published 2012-09-06 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/61993 title Asterisk Manager Interface ExternalIVR Application Originate Action Remote Shell Command Execution (AST-2012-012) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2550.NASL description Several vulnerabilities were discovered in Asterisk, a PBX and telephony toolkit, allowing privilege escalation in the Asterisk Manager, denial of service or privilege escalation. More detailed information can be found in the Asterisk advisories: AST-2012-010, AST-2012-011, AST-2012-012, and AST-2012-013. last seen 2020-03-17 modified 2012-09-19 plugin id 62188 published 2012-09-19 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62188 title Debian DSA-2550-2 : asterisk - several vulnerabilities