Vigil@nce: Asterisk, two vulnerabilities
September 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An authenticated attacker can use two vulnerabilities of Asterisk,
in order to execute a shell command, or to bypass ACL.
– Impacted products: Asterisk Open Source
– Severity: 2/4
– Creation date: 31/08/2012
DESCRIPTION OF THE VULNERABILITY
Two vulnerabilities were announced in Asterisk.
An authenticated attacker can use the action AMI Originate with
the application ExternalIVR, in order to execute a shell command.
[severity:2/4; AST-2012-012, BID-55351, CVE-2012-2186]
An attacker, who is authenticated with ARA (Asterisk Realtime
Architecture), can make an IAX2 call bypassing ACL rules.
[severity:2/4; AST-2012-013, BID-55335, CVE-2012-4737]
An authenticated attacker can therefore use two vulnerabilities of
Asterisk, in order to execute a shell command, or to bypass ACL.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Asterisk-two-vulnerabilities-11911