Command injection in Certified Asterisk and Asterisk Open Source - CVE-2017-14100
Published: September 1, 2017 / Updated: September 7, 2017
Vulnerability identifier: #VU8064
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Amber
CVE-ID: CVE-2017-14100
CWE-ID: CWE-77
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Digium (Linux Support Services)
Affected software:
Certified Asterisk
Asterisk Open Source
Certified Asterisk
Asterisk Open Source
Detailed vulnerability description
The vulnerability allows a remote authenticated attacker to execute arbitrary commands on the target system.
The weakness exists due to input validation flaw in the 'app_minivm' module. A remote attacker can send supply specially crafted caller-id name and number data and execute arbitrary operating system commands.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists due to input validation flaw in the 'app_minivm' module. A remote attacker can send supply specially crafted caller-id name and number data and execute arbitrary operating system commands.
Successful exploitation of the vulnerability may result in system compromise.
How to mitigate CVE-2017-14100
The vulnerability is addressed in the following versions:
Asterisk Open Source - 11.25.2, 13.17.1, 14.6.1.
Certified Asterisk - 11.6-cert17, 13.13-cert5.
Asterisk Open Source - 11.25.2, 13.17.1, 14.6.1.
Certified Asterisk - 11.6-cert17, 13.13-cert5.