[v2.5] asterisk: permission escalation (AST-2014-006 CVE-2014-4046)
Manager users can execute arbitrary shell commands with the MixMonitor manager action. Asterisk does not require system class authorization for a manager user to use the MixMonitor action, so any manager user who is permitted to use manager commands can potentially execute shell commands as the user executing the Asterisk process.
Affected: Alpine Linux v2.5 and v2.6 could be vulnerable.
Resolution: upgrade to a version with the patch integrated, apply the patch, or do not allow users who should not have permission to run shell commands to use AMI.
References and fixes: http://downloads.asterisk.org/pub/security/AST-2014-006.html
(from redmine: issue id 3046, created on 2014-06-16, closed on 2014-06-19)
- Relations:
- parent #3045 (closed)
- Changesets:
- Revision de55133b by Natanael Copa on 2014-06-17T11:37:35Z:
main/asterisk: fix permission escalation (AST-2014-006 CVE-2014-4046)
fixes #3046