Asterisk Project Security Advisory - AST-2019-007

         Product        Asterisk                                              
         Summary        AMI user could execute system commands.               
    Nature of Advisory  Remote Code Execution                                 
      Susceptibility    Remote Authenticated Sessions                         
         Severity       Minor                                                 
      Exploits Known    No                                                    
       Reported On      October 10, 2019                                      
       Reported By      Eliel Sardañons                                       
        Posted On       November 21, 2019                                     
     Last Updated On    November 21, 2019                                     
     Advisory Contact   gjoseph AT digium DOT com                             
         CVE Name       CVE-2019-18610                                        

      Description     A remote authenticated Asterisk Manager Interface       
                      (AMI) user without “system” authorization could use a 
                      specially crafted “Originate” AMI request to execute  
                      arbitrary system commands.                              
    Modules Affected  manager.c                                               

    Resolution  The specific parameters of the Originate AMI request that     
                allowed the remote code execution are now blocked if the      
                user does not have the “system” authorization.              

                               Affected Versions       
                         Product                       Release  
                  Asterisk Open Source                  13.x    All releases  
                  Asterisk Open Source                  16.x    All releases  
                  Asterisk Open Source                  17.x    All releases  
                   Certified Asterisk                   13.21   All releases  

                                  Corrected In                   
                              Product                              Release    
                       Asterisk Open Source                        13.29.2    
                       Asterisk Open Source                        16.6.2     
                       Asterisk Open Source                        17.0.1     
                        Certified Asterisk                       13.21-cert5  

                               SVN URL                                Revision    Asterisk 
13    Asterisk 
16    Asterisk 
17 Certified  


    Asterisk Project Security Advisories are posted at                                                             
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                             and                        

                                Revision History
          Date            Editor                  Revisions Made              
    October 24, 2019   George Joseph  Initial Revision                        
    November 21, 2019  Ben Ford       Added “Posted On” date                

               Asterisk Project Security Advisory - AST-2019-007
               Copyright © 2019 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

-- Bandwidth and Colocation Provided by --

asterisk-announce mailing list
To UNSUBSCRIBE or update options visit:

Reply via email to