Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function. NOTE: this is disputed by the Supplier because the impact is limited to creating empty files outside of the Asterisk product directory (aka directory traversal) and the attack can only be performed by a privileged user who has the ability to manage the configuration.
The vulnerability classified as CWE-732 (improper resource permissions) results from lack of proper path validation in the action_createconfig function. An attacker can use this function to create empty files in locations outside the Asterisk directory, which is a classic path traversal. However, the vendor notes that this operation requires a logged-in user with configuration management permissions and is not available to anonymous attackers.
An attacker with appropriate permissions can create empty files in arbitrary locations on the server's file system. The vendor disputes the possibility of full RCE, indicating that the impact is limited to writing empty files outside the product directory.
Apply patches available from the vendor according to the references. Since the attack requires privileged access, additionally apply the principle of least privilege and restrict access to the Asterisk management interface exclusively to trusted users and networks.
Sangoma Asterisk v22
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSangoma Asterisk
APPSangoma22.0.0 – 22.5.1
Related vulnerabilities
PJSIP is a free and open source multimedia communication library written in C language implementing standard b...
A local privilege escalation vulnerability exists in the safe_asterisk script included with the Asterisk toolk...
Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.15.2, 21.10.2, ...
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4...
In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup...