OS Command Injection in asterisk (Alpine package)
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-18610 |
| CWE-ID | CWE-78 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
asterisk (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) OS Command Injection
EUVDB-ID: #VU22935
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-18610
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the "manager.c" module. A remote authenticated Asterisk Manager Interface (AMI) user without “system” authorization can use a specially crafted “Originate” AMI request to execute arbitrary system commands.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsasterisk (Alpine package): 13.3.2-r0 - 16.5.1-r0
External linkshttp://git.alpinelinux.org/aports/commit/?id=25ffac29e0a3e87794220e04795def02f66a3e81
http://git.alpinelinux.org/aports/commit/?id=38664bd7a807d4b24c0e0482bdb1c041e783469e
http://git.alpinelinux.org/aports/commit/?id=6a36d2a527e316e6506513ef5e5c60b2934f0962
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
