VOIP: Digium Asterisk app_minivm Caller-ID Command Execution
A command execution vulnerability has been reported in Digium Asterisk. A remote, authenticated attacker could exploit this vulnerability by sending specially crafted SIP packets to the Asterisk server. Successful exploitation could result in arbitrary command execution in the security context of the Asterisk service.
Extended Description
In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized command execution is possible. The app_minivm module has an "externnotify" program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection.
Affected Products
Digium asterisk
Short Name
VOIP:SIP:DIGIUM-ASTRESK-CE
Severity
Major
Recommended
True
Recommended Action
Drop
Category
VOIP
Keywords
Asterisk CVE-2017-14100 Caller-ID Command Digium Execution app_minivm
Release Date
10/13/2017
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3450
False Positive
Unknown
Vendors
Digium
CVSS Score
7.5