A user of the Asterisk Manager Interface can bypass a security check and execute shell commands when they lack permission to do so. Under normal conditions, a user should only be able to run shell commands if that user has System class authorization. Users could bypass this restriction by using the MixMonitor application with the originate action or by using either the GetVar or Status manager actions in combination with the SHELL and EVAL functions. The patch adds checks in each affected action to verify if a user has System class authorization. If the user does not have those authorizations, Asterisk rejects the action if it detects the use of any functions or applications that run system commands.
Asterisk now performs checks against manager commands that cause these behaviors for each of the affected actions.
The following versions are affected:
- Asterisk Open Source 1.6.2.x All versions
- Asterisk Open Source 1.8.x All versions
- Asterisk Open Source 10.x All versions
- Asterisk Business Edition C.3.x All versions
Corrected In Product Release:
- Asterisk Open Source 220.127.116.11, 18.104.22.168, 10.3.1
- Asterisk Business Edition C.3.7.4