asterisk: CVE-2019-18610: AST-2019-007: AMI user could execute system commands

Debian Bug report logs - #947377
asterisk: CVE-2019-18610: AST-2019-007: AMI user could execute system commands

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: asterisk: CVE-2019-18610: AST-2019-007: AMI user could execute system commands

Date: Wed, 25 Dec 2019 22:47:57 +0100

Source: asterisk
Version: 1:16.2.1~dfsg-2
Severity: important
Tags: security upstream
Forwarded: https://issues.asterisk.org/jira/browse/ASTERISK-28580
Control: found -1 1:16.2.1~dfsg-1+deb10u1
Control: found -1 1:16.2.1~dfsg-1
Control: found -1 1:13.14.1~dfsg-2+deb9u4
Control: found -1 1:13.14.1~dfsg-1

Hi,

The following vulnerability was published for asterisk.

CVE-2019-18610[0]:
| An issue was discovered in manager.c in Sangoma Asterisk through 13.x,
| 16.x, 17.x and Certified Asterisk 13.21 through 13.21-cert4. A remote
| authenticated Asterisk Manager Interface (AMI) user without system
| authorization could use a specially crafted Originate AMI request to
| execute arbitrary system commands.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-18610
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18610
[1] https://issues.asterisk.org/jira/browse/ASTERISK-28580
[2] https://downloads.asterisk.org/pub/security/AST-2019-007.html

Regards,
Salvatore

Send a report that this bug log contains spam.