Asterisk Project Security Advisory - AST-2019-007 Product Asterisk Summary AMI user could execute system commands. Nature of Advisory Remote Code Execution Susceptibility Remote Authenticated Sessions Severity Minor Exploits Known No Reported On October 10, 2019 Reported By Eliel Sardañons Posted On November 21, 2019 Last Updated On November 21, 2019 Advisory Contact gjoseph AT digium DOT com CVE Name CVE-2019-18610 Description A remote authenticated Asterisk Manager Interface (AMI) user without “system” authorization could use a specially crafted “Originate” AMI request to execute arbitrary system commands. Modules Affected manager.c Resolution The specific parameters of the Originate AMI request that allowed the remote code execution are now blocked if the user does not have the “system” authorization. Affected Versions Product Release Series Asterisk Open Source 13.x All releases Asterisk Open Source 16.x All releases Asterisk Open Source 17.x All releases Certified Asterisk 13.21 All releases Corrected In Product Release Asterisk Open Source 13.29.2 Asterisk Open Source 16.6.2 Asterisk Open Source 17.0.1 Certified Asterisk 13.21-cert5 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2019-007-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2019-007-16.diff Asterisk 16 http://downloads.asterisk.org/pub/security/AST-2019-007-17.diff Asterisk 17 http://downloads.asterisk.org/pub/security/AST-2019-007-13.21.diff Certified Asterisk 13.21-cert5 Links https://issues.asterisk.org/jira/browse/ASTERISK-28580 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2019-007.pdf and http://downloads.digium.com/pub/security/AST-2019-007.html Revision History Date Editor Revisions Made October 24, 2019 George Joseph Initial Revision November 21, 2019 Ben Ford Added “Posted On” date Asterisk Project Security Advisory - AST-2019-007 Copyright © 2019 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.