Vulnerabilities > CVE-2012-2414 - Improper Authentication vulnerability in Asterisk Open Source

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
asterisk
CWE-287
nessus

Summary

main/manager.c in the Manager Interface in Asterisk Open Source 1.6.2.x before 1.6.2.24, 1.8.x before 1.8.11.1, and 10.x before 10.3.1 and Asterisk Business Edition C.3.x before C.3.7.4 does not properly enforce System class authorization requirements, which allows remote authenticated users to execute arbitrary commands via (1) the originate action in the MixMonitor application, (2) the SHELL and EVAL functions in the GetVar manager action, or (3) the SHELL and EVAL functions in the Status manager action.

Vulnerable Configurations

Part Description Count
Application
Asterisk
153

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Authentication Abuse
    An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the "Exploitation of Session Variables, Resource IDs and other Trusted Credentials" attack patterns.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Utilizing REST's Trust in the System Resource to Register Man in the Middle
    This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to place man in the middle once SSL is terminated. Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required. Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The attacker can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the attacker gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme.
  • Man in the Middle Attack
    This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components.

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2012-6704.NASL
    descriptionThe Asterisk Development Team has announced security releases for Asterisk 1.6.2, 1.8, and 10. The available security releases are released as versions 1.6.2.24, 1.8.11.1, and 10.3.1. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The release of Asterisk 1.6.2.24, 1.8.11.1, and 10.3.1 resolve the following two issues : - A permission escalation vulnerability in Asterisk Manager Interface. This would potentially allow remote authenticated users the ability to execute commands on the system shell with the privileges of the user running the Asterisk application. - A heap overflow vulnerability in the Skinny Channel driver. The keypad button message event failed to check the length of a fixed length buffer before appending a received digit to the end of that buffer. A remote authenticated user could send sufficient keypad button message events that the buffer would be overrun. In addition, the release of Asterisk 1.8.11.1 and 10.3.1 resolve the following issue : - A remote crash vulnerability in the SIP channel driver when processing UPDATE requests. If a SIP UPDATE request was received indicating a connected line update after a channel was terminated but before the final destruction of the associated SIP dialog, Asterisk would attempt a connected line update on a non-existing channel, causing a crash. These issues and their resolution are described in the security advisories. For more information about the details of these vulnerabilities, please read security advisories AST-2012-004, AST-2012-005, and AST-2012-006, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLogs : http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-1.6.2.24 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-1.8.11.1 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-10.3.1 The security advisories are available at : - http://downloads.asterisk.org/pub/security/AST-2012-004. pdf - http://downloads.asterisk.org/pub/security/AST-2012-00 5.pdf - http://downloads.asterisk.org/pub/security/AST-2012-00 6.pdf Update to 1.8.11.0 Update to 1.8.10.1, which fixes 2 security vulnerabilities. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2012-05-07
    plugin id59002
    published2012-05-07
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/59002
    titleFedora 17 : asterisk-10.3.1-1.fc17 (2012-6704)
  • NASL familyMisc.
    NASL idASTERISK_AST_2012_004.NASL
    descriptionAccording to the version in its SIP banner, the version of Asterisk running on the remote host is potentially affected by a vulnerability that could allow an authenticated, remote attacker to run arbitrary commands with the credentials of the Asterisk server.
    last seen2020-06-01
    modified2020-06-02
    plugin id58904
    published2012-04-27
    reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/58904
    titleAsterisk Manager User Unauthorized Shell Access (AST-2012-004)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_1C5ABBE28D7F11E1A37414DAE9EBCF89.NASL
    descriptionAsterisk project reports : Remote Crash Vulnerability in SIP Channel Driver Heap Buffer Overflow in Skinny Channel Driver Asterisk Manager User Unauthorized Shell Access
    last seen2020-06-01
    modified2020-06-02
    plugin id58837
    published2012-04-24
    reporterThis script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/58837
    titleFreeBSD : asterisk -- multiple vulnerabilities (1c5abbe2-8d7f-11e1-a374-14dae9ebcf89)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2012-6724.NASL
    descriptionThe Asterisk Development Team has announced security releases for Asterisk 1.6.2, 1.8, and 10. The available security releases are released as versions 1.6.2.24, 1.8.11.1, and 10.3.1. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The release of Asterisk 1.6.2.24, 1.8.11.1, and 10.3.1 resolve the following two issues : - A permission escalation vulnerability in Asterisk Manager Interface. This would potentially allow remote authenticated users the ability to execute commands on the system shell with the privileges of the user running the Asterisk application. - A heap overflow vulnerability in the Skinny Channel driver. The keypad button message event failed to check the length of a fixed length buffer before appending a received digit to the end of that buffer. A remote authenticated user could send sufficient keypad button message events that the buffer would be overrun. In addition, the release of Asterisk 1.8.11.1 and 10.3.1 resolve the following issue : - A remote crash vulnerability in the SIP channel driver when processing UPDATE requests. If a SIP UPDATE request was received indicating a connected line update after a channel was terminated but before the final destruction of the associated SIP dialog, Asterisk would attempt a connected line update on a non-existing channel, causing a crash. These issues and their resolution are described in the security advisories. For more information about the details of these vulnerabilities, please read security advisories AST-2012-004, AST-2012-005, and AST-2012-006, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLogs : http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-1.6.2.24 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-1.8.11.1 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-10.3.1 The security advisories are available at : - http://downloads.asterisk.org/pub/security/AST-2012-004. pdf - http://downloads.asterisk.org/pub/security/AST-2012-00 5.pdf - http://downloads.asterisk.org/pub/security/AST-2012-00 6.pdf Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2012-05-07
    plugin id59003
    published2012-05-07
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/59003
    titleFedora 15 : asterisk-1.8.11.1-1.fc15 (2012-6724)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2460.NASL
    descriptionSeveral vulnerabilities were discovered in the Asterisk PBX and telephony toolkit : - CVE-2012-1183 Russell Bryant discovered a buffer overflow in the Milliwatt application. - CVE-2012-2414 David Woolley discovered a privilege escalation in the Asterisk manager interface. - CVE-2012-2415 Russell Bryant discovered a buffer overflow in the Skinny driver.
    last seen2020-03-17
    modified2012-04-26
    plugin id58880
    published2012-04-26
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/58880
    titleDebian DSA-2460-1 : asterisk - several vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2012-6612.NASL
    descriptionThe Asterisk Development Team has announced security releases for Asterisk 1.6.2, 1.8, and 10. The available security releases are released as versions 1.6.2.24, 1.8.11.1, and 10.3.1. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The release of Asterisk 1.6.2.24, 1.8.11.1, and 10.3.1 resolve the following two issues : - A permission escalation vulnerability in Asterisk Manager Interface. This would potentially allow remote authenticated users the ability to execute commands on the system shell with the privileges of the user running the Asterisk application. - A heap overflow vulnerability in the Skinny Channel driver. The keypad button message event failed to check the length of a fixed length buffer before appending a received digit to the end of that buffer. A remote authenticated user could send sufficient keypad button message events that the buffer would be overrun. In addition, the release of Asterisk 1.8.11.1 and 10.3.1 resolve the following issue : - A remote crash vulnerability in the SIP channel driver when processing UPDATE requests. If a SIP UPDATE request was received indicating a connected line update after a channel was terminated but before the final destruction of the associated SIP dialog, Asterisk would attempt a connected line update on a non-existing channel, causing a crash. These issues and their resolution are described in the security advisories. For more information about the details of these vulnerabilities, please read security advisories AST-2012-004, AST-2012-005, and AST-2012-006, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLogs : http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-1.6.2.24 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-1.8.11.1 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-10.3.1 The security advisories are available at : - http://downloads.asterisk.org/pub/security/AST-2012-004. pdf - http://downloads.asterisk.org/pub/security/AST-2012-00 5.pdf - http://downloads.asterisk.org/pub/security/AST-2012-00 6.pdf Update to 1.8.11.0 Update to 1.8.10.1, which fixes 2 security vulnerabilities. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2012-05-04
    plugin id58981
    published2012-05-04
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/58981
    titleFedora 16 : asterisk-1.8.11.1-1.fc16 (2012-6612)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201206-05.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201206-05 (Asterisk: Multiple vulnerabilities) Multiple vulnerabilities have been found in Asterisk: An error in manager.c allows shell access through the MixMonitor application, GetVar, or Status (CVE-2012-2414). An error in chan_skinny.c could cause a heap-based buffer overflow (CVE-2012-2415). An error in chan_sip.c prevents Asterisk from checking if a channel exists before connected line updates (CVE-2012-2416). An error in chan_iax2.c may cause an invalid pointer to be called (CVE-2012-2947). chan_skinny.c contains a NULL pointer dereference (CVE-2012-2948). Impact : A remote attacker could execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id59633
    published2012-06-21
    reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/59633
    titleGLSA-201206-05 : Asterisk: Multiple vulnerabilities