CVE-2017-14100
Last modified
CVE-2017-14100 is a vulnerability of currently unknown severity. In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized command execution is possible. The app_minivm module has an "externnotify" program configuration option that is executed by the MinivmNotify dialplan application. EPSS estimates a 14.91% chance of exploitation in the next 30 days.
Description
In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized command execution is possible. The app_minivm module has an "externnotify" program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Digium | Asterisk | 13.0.0 | — |
| Digium | Asterisk | 13.0.1 | — |
| Digium | Asterisk | 13.0.2 | — |
| Digium | Asterisk | 13.1.0 | — |
| Digium | Asterisk | 13.1.1 | — |
| Digium | Asterisk | 13.2.0 | — |
| Digium | Asterisk | 13.2.1 | — |
| Digium | Asterisk | 13.3.0 | Rc1 |
| Digium | Asterisk | 13.3.2 | — |
| Digium | Asterisk | 13.4.0 | — |
| Digium | Asterisk | 13.5.0 | — |
| Digium | Asterisk | 13.6.0 | Rc1 |
| Digium | Asterisk | 13.7.0 | Rc1 |
| Digium | Asterisk | 13.7.1 | — |
| Digium | Asterisk | 13.7.2 | — |
| Digium | Asterisk | 13.8.0 | — |
| Digium | Asterisk | 13.8.1 | — |
| Digium | Asterisk | 13.8.2 | — |
| Digium | Asterisk | 13.9.0 | — |
| Digium | Asterisk | 13.9.1 | — |
| Digium | Asterisk | 13.10.0 | — |
| Digium | Asterisk | 13.11.0 | — |
| Digium | Asterisk | 13.11.1 | — |
| Digium | Asterisk | 13.11.2 | — |
| Digium | Asterisk | 13.12 | — |
| Digium | Asterisk | 13.12.0 | — |
| Digium | Asterisk | 13.12.1 | — |
| Digium | Asterisk | 13.12.2 | — |
| Digium | Asterisk | 13.13 | — |
| Digium | Asterisk | 13.13.0 | — |
| Digium | Asterisk | 13.13.1 | — |
| Digium | Asterisk | 13.14.0 | — |
| Digium | Asterisk | 13.14.1 | — |
| Digium | Asterisk | 13.15.0 | — |
| Digium | Asterisk | 13.15.1 | — |
| Digium | Asterisk | 13.16.0 | — |
| Digium | Asterisk | 13.17.0 | — |
| Digium | Asterisk | 14.0 | — |
| Digium | Asterisk | 14.0.0 | — |
| Digium | Asterisk | 14.0.1 | — |
| Digium | Asterisk | 14.0.2 | — |
| Digium | Asterisk | 14.1 | — |
| Digium | Asterisk | 14.01 | — |
| Digium | Asterisk | 14.1.0 | — |
| Digium | Asterisk | 14.1.1 | — |
| Digium | Asterisk | 14.1.2 | — |
| Digium | Asterisk | 14.02 | — |
| Digium | Asterisk | 14.2 | — |
| Digium | Asterisk | 14.2.0 | — |
| Digium | Asterisk | 14.2.1 | — |
Showing 50 of 103 affected configurations. See NVD for the full list.
References
- http://downloads.asterisk.org/pub/security/AST-2017-006.htmlVendor Advisory
- http://www.securitytracker.com/id/1039252Third Party Advisory, VDB Entry
- https://bugs.debian.org/873908Issue Tracking, Patch, Third Party Advisory
- https://issues.asterisk.org/jira/browse/ASTERISK-27103Issue Tracking, Patch, Third Party Advisory
- http://downloads.asterisk.org/pub/security/AST-2017-006.htmlVendor Advisory
- http://www.securitytracker.com/id/1039252Third Party Advisory, VDB Entry
- https://bugs.debian.org/873908Issue Tracking, Patch, Third Party Advisory
- https://issues.asterisk.org/jira/browse/ASTERISK-27103Issue Tracking, Patch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-14100?
How severe is CVE-2017-14100?
How do I fix CVE-2017-14100?
Are you affected by CVE-2017-14100?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST