CVE-2010-0685

Publication date 23 February 2010

Last updated 24 July 2024

Ubuntu priority

Low

Why this priority?

Description

The design of the dialplan functionality in Asterisk Open Source 1.2.x, 1.4.x, and 1.6.x; and Asterisk Business Edition B.x.x and C.x.x, when using the ${EXTEN} channel variable and wildcard pattern matches, allows context-dependent attackers to inject strings into the dialplan using metacharacters that are injected when the variable is expanded, as demonstrated using the Dial application to process a crafted SIP INVITE message that adds an unintended outgoing channel leg. NOTE: it could be argued that this is not a vulnerability in Asterisk, but a class of vulnerabilities that can occur in any program that uses this feature without the associated filtering functionality that is already available.

Read the notes from the security team

Status

Package Ubuntu Release Status
asterisk 9.10 karmic Ignored
9.04 jaunty Ignored
8.10 intrepid Ignored
8.04 LTS hardy Ignored end of life
6.06 LTS dapper Ignored end of life

Notes

jdstrand

According to upstream, this is not a code vulnerability but a configuration/best practice/documentation issue. From AST-2010-002.html: "One resolution is to wrap the ${EXTEN} channel variable with the FILTER() dialplan function to only accept characters which are expected by the dialplan programmer. The recommendation is for this to be the first priority in all contexts defined as incoming contexts in the channel driver configuration files." asterisk 1.4 and higher have FILTER(), but 1.2 needs a patch

References

Other references