CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
EPSS
Percentile
83.2%
The design of the dialplan functionality in Asterisk Open Source 1.2.x,
1.4.x, and 1.6.x; and Asterisk Business Edition B.x.x and C.x.x, when using
the ${EXTEN} channel variable and wildcard pattern matches, allows
context-dependent attackers to inject strings into the dialplan using
metacharacters that are injected when the variable is expanded, as
demonstrated using the Dial application to process a crafted SIP INVITE
message that adds an unintended outgoing channel leg. NOTE: it could be
argued that this is not a vulnerability in Asterisk, but a class of
vulnerabilities that can occur in any program that uses this feature
without the associated filtering functionality that is already available.
Author | Note |
---|---|
jdstrand | According to upstream, this is not a code vulnerability but a configuration/best practice/documentation issue. From AST-2010-002.html: “One resolution is to wrap the ${EXTEN} channel variable with the FILTER() dialplan function to only accept characters which are expected by the dialplan programmer. The recommendation is for this to be the first priority in all contexts defined as incoming contexts in the channel driver configuration files.” asterisk 1.4 and higher have FILTER(), but 1.2 needs a patch |