CVE-2010-0685

2010-02-2300:00:00

ubuntu.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

EPSS

0.009

Percentile

83.2%

JSON

The design of the dialplan functionality in Asterisk Open Source 1.2.x,
1.4.x, and 1.6.x; and Asterisk Business Edition B.x.x and C.x.x, when using
the ${EXTEN} channel variable and wildcard pattern matches, allows
context-dependent attackers to inject strings into the dialplan using
metacharacters that are injected when the variable is expanded, as
demonstrated using the Dial application to process a crafted SIP INVITE
message that adds an unintended outgoing channel leg. NOTE: it could be
argued that this is not a vulnerability in Asterisk, but a class of
vulnerabilities that can occur in any program that uses this feature
without the associated filtering functionality that is already available.

Notes

Author	Note
jdstrand	According to upstream, this is not a code vulnerability but a configuration/best practice/documentation issue. From AST-2010-002.html: “One resolution is to wrap the ${EXTEN} channel variable with the FILTER() dialplan function to only accept characters which are expected by the dialplan programmer. The recommendation is for this to be the first priority in all contexts defined as incoming contexts in the channel driver configuration files.” asterisk 1.4 and higher have FILTER(), but 1.2 needs a patch

Author

Note

jdstrand

According to upstream, this is not a code vulnerability but a configuration/best practice/documentation issue. From AST-2010-002.html: “One resolution is to wrap the ${EXTEN} channel variable with the FILTER() dialplan function to only accept characters which are expected by the dialplan programmer. The recommendation is for this to be the first priority in all contexts defined as incoming contexts in the channel driver configuration files.” asterisk 1.4 and higher have FILTER(), but 1.2 needs a patch