NVD Vulnerability Detail

CVE-2024-42365

Summary	Asterisk is an open source private branch exchange (PBX) and telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with `write=originate` may change all configuration files in the `/etc/asterisk/` directory. This occurs because they are able to curl remote files and write them to disk, but are also able to append to existing files using the `FILE` function inside the `SET` application. This issue may result in privilege escalation, remote code execution and/or blind server-side request forgery with arbitrary protocol. Asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2 contain a fix for this issue.
Publication Date	Aug. 9, 2024, 2:15 a.m.
Registration Date	Aug. 9, 2024, 5 a.m.
Last Update	Sept. 17, 2024, 5:23 a.m.

CVSS3.1 : HIGH
スコア	8.8
Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	低
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	高
完全性への影響(I)	高
可用性への影響(A)	高

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:asterisk:asterisk::::::::	19.0.0			20.9.1
cpe:2.3:a:asterisk:asterisk::::::::				18.24.2
cpe:2.3:a:asterisk:asterisk:21.4.0:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:asterisk:certified_asterisk:13.13.0:cert3::::::
cpe:2.3:a:asterisk:certified_asterisk:13.13.0:cert1::::::
cpe:2.3:a:asterisk:certified_asterisk:13.13.0:rc2::::::
cpe:2.3:a:asterisk:certified_asterisk:13.13.0:cert2::::::
cpe:2.3:a:asterisk:certified_asterisk:13.13.0:::::::*
cpe:2.3:a:asterisk:certified_asterisk:13.13.0:rc1::::::
cpe:2.3:a:asterisk:certified_asterisk:13.13.0:cert1-rc4::::::
cpe:2.3:a:asterisk:certified_asterisk:13.13.0:cert1-rc1::::::
cpe:2.3:a:asterisk:certified_asterisk:13.13.0:cert1-rc3::::::
cpe:2.3:a:asterisk:certified_asterisk:13.13.0:cert1-rc2::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert12::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert11::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert10::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert9::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert8::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert7::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert6::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert5::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert4::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert3::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert2::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert1::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:-::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert10::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert11::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert12::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert13::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert14::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert1-rc1::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert1-rc2::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert1-rc3::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert1-rc4::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert1-rc5::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert4-rc1::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert4-rc2::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert4-rc3::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert4-rc4::::::
cpe:2.3:a:asterisk:certified_asterisk:18.9:cert1::::::
cpe:2.3:a:asterisk:certified_asterisk:18.9:cert10::::::
cpe:2.3:a:asterisk:certified_asterisk:18.9:cert1-rc1::::::
cpe:2.3:a:asterisk:certified_asterisk:18.9:cert2::::::
cpe:2.3:a:asterisk:certified_asterisk:18.9:cert3::::::
cpe:2.3:a:asterisk:certified_asterisk:18.9:cert4::::::
cpe:2.3:a:asterisk:certified_asterisk:18.9:cert5::::::
cpe:2.3:a:asterisk:certified_asterisk:18.9:cert6::::::
cpe:2.3:a:asterisk:certified_asterisk:18.9:cert7::::::
cpe:2.3:a:asterisk:certified_asterisk:18.9:cert8::::::
cpe:2.3:a:asterisk:certified_asterisk:18.9:cert8-rc1::::::
cpe:2.3:a:asterisk:certified_asterisk:18.9:cert8-rc2::::::
cpe:2.3:a:asterisk:certified_asterisk:18.9:cert9::::::
cpe:2.3:a:asterisk:certified_asterisk:20.7:cert1::::::
cpe:2.3:a:asterisk:certified_asterisk:20.7:cert1-rc1::::::
cpe:2.3:a:asterisk:certified_asterisk:20.7:cert1-rc2::::::

Related information, measures and tools

No	URL	タグ
1	https://github.com/asterisk/asterisk/security/advisories/GHSA-c4cg-9275-6w44	Exploit Technical Description Vendor Advisory
2	https://github.com/asterisk/asterisk/commit/42a2f4ccfa2c7062a15063e765916b3332e34cc4	Patch
3	https://github.com/asterisk/asterisk/commit/7a0090325bfa9d778a39ae5f7d0a98109e4651c8	Patch
4	https://github.com/asterisk/asterisk/commit/b4063bf756272254b160b6d1bd6e9a3f8e16cc71	Patch
5	https://github.com/asterisk/asterisk/commit/bbe68db10ab8a80c29db383e4dfe14f6eafaf993	Patch
6	https://github.com/asterisk/asterisk/commit/faddd99f2b9408b524e5eb8a01589fe1fa282df2	Patch
7	https://github.com/asterisk/asterisk/blob/14367caaf7241df1eceea7c45c5b261989c2c6db/main/manager.c#L6426	Issue Tracking
8	https://github.com/asterisk/asterisk/blob/7d28165cb1b2d02d66e8693bd3fe23ee72fc55d8/main/manager.c#L6426	Issue Tracking

Common Vulnerabilities List

JVN Vulnerability Information

Asterisk の asterisk および Certified Asterisk における脆弱性

Title	Asterisk の asterisk および Certified Asterisk における脆弱性
Summary	Asterisk の asterisk および Certified Asterisk には、不特定の脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダアドバイザリまたはパッチ情報が公開されています。参考情報を参照して適切な対策を実施してください。
Publication Date	Aug. 8, 2024, midnight
Registration Date	Sept. 18, 2024, 4:05 p.m.
Last Update	Sept. 18, 2024, 4:05 p.m.

Affected System

Asterisk

asterisk 18.24.2 未満

asterisk 19.0.0 以上 20.9.1 未満

asterisk 21.4.0

Certified Asterisk 13.13.0

Certified Asterisk 16.8

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2024-42365	https://www.cve.org/CVERecord?id=CVE-2024-42365
National Vulnerability Database (NVD)
2	CVE-2024-42365	https://nvd.nist.gov/vuln/detail/CVE-2024-42365

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-1220	https://cwe.mitre.org/data/definitions/1220.html
2	CWE-267	https://cwe.mitre.org/data/definitions/267.html
3	CWE-Other	https://www.ipa.go.jp/security/vuln/scap/cwe.html

その他

No	Name	URL
関連文書
1	github.com (42a2f4ccfa2c7062a15063e765916b3332e34cc4)	https://github.com/asterisk/asterisk/commit/42a2f4ccfa2c7062a15063e765916b3332e34cc4
2	github.com (7a0090325bfa9d778a39ae5f7d0a98109e4651c8)	https://github.com/asterisk/asterisk/commit/7a0090325bfa9d778a39ae5f7d0a98109e4651c8
3	github.com (b4063bf756272254b160b6d1bd6e9a3f8e16cc71)	https://github.com/asterisk/asterisk/commit/b4063bf756272254b160b6d1bd6e9a3f8e16cc71
4	github.com (bbe68db10ab8a80c29db383e4dfe14f6eafaf993)	https://github.com/asterisk/asterisk/commit/bbe68db10ab8a80c29db383e4dfe14f6eafaf993
5	github.com (faddd99f2b9408b524e5eb8a01589fe1fa282df2)	https://github.com/asterisk/asterisk/commit/faddd99f2b9408b524e5eb8a01589fe1fa282df2
6	github.com (GHSA-c4cg-9275-6w44)	https://github.com/asterisk/asterisk/security/advisories/GHSA-c4cg-9275-6w44
7	github.com (manager.c#L6426)	https://github.com/asterisk/asterisk/blob/14367caaf7241df1eceea7c45c5b261989c2c6db/main/manager.c#L6426
8	github.com (manager.c#L6426)	https://github.com/asterisk/asterisk/blob/7d28165cb1b2d02d66e8693bd3fe23ee72fc55d8/main/manager.c#L6426

Change Log

No	Changed Details	Date of change
1	[2024年09月18日] 掲載	Sept. 18, 2024, 3:52 p.m.

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:asterisk:certified_asterisk:13.13.0:cert3::::::
cpe:2.3:a:asterisk:certified_asterisk:13.13.0:cert1::::::
cpe:2.3:a:asterisk:certified_asterisk:13.13.0:rc2::::::
cpe:2.3:a:asterisk:certified_asterisk:13.13.0:cert2::::::
cpe:2.3:a:asterisk:certified_asterisk:13.13.0:::::::*
cpe:2.3:a:asterisk:certified_asterisk:13.13.0:rc1::::::
cpe:2.3:a:asterisk:certified_asterisk:13.13.0:cert1-rc4::::::
cpe:2.3:a:asterisk:certified_asterisk:13.13.0:cert1-rc1::::::
cpe:2.3:a:asterisk:certified_asterisk:13.13.0:cert1-rc3::::::
cpe:2.3:a:asterisk:certified_asterisk:13.13.0:cert1-rc2::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert12::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert11::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert10::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert9::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert8::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert7::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert6::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert5::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert4::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert3::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert2::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert1::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:-::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert10::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert11::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert12::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert13::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert14::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert1-rc1::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert1-rc2::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert1-rc3::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert1-rc4::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert1-rc5::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert4-rc1::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert4-rc2::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert4-rc3::::::
cpe:2.3:a:asterisk:certified_asterisk:16.8:cert4-rc4::::::
cpe:2.3:a:asterisk:certified_asterisk:18.9:cert1::::::
cpe:2.3:a:asterisk:certified_asterisk:18.9:cert10::::::
cpe:2.3:a:asterisk:certified_asterisk:18.9:cert1-rc1::::::
cpe:2.3:a:asterisk:certified_asterisk:18.9:cert2::::::
cpe:2.3:a:asterisk:certified_asterisk:18.9:cert3::::::
cpe:2.3:a:asterisk:certified_asterisk:18.9:cert4::::::
cpe:2.3:a:asterisk:certified_asterisk:18.9:cert5::::::
cpe:2.3:a:asterisk:certified_asterisk:18.9:cert6::::::
cpe:2.3:a:asterisk:certified_asterisk:18.9:cert7::::::
cpe:2.3:a:asterisk:certified_asterisk:18.9:cert8::::::
cpe:2.3:a:asterisk:certified_asterisk:18.9:cert8-rc1::::::
cpe:2.3:a:asterisk:certified_asterisk:18.9:cert8-rc2::::::
cpe:2.3:a:asterisk:certified_asterisk:18.9:cert9::::::
cpe:2.3:a:asterisk:certified_asterisk:20.7:cert1::::::
cpe:2.3:a:asterisk:certified_asterisk:20.7:cert1-rc1::::::
cpe:2.3:a:asterisk:certified_asterisk:20.7:cert1-rc2::::::