Digium Asterisk GUI Migration Plan

Thursday, September 21, 2017 @ 04:09 PM gHale


Digium is recommending users to migrate to its SwitchVox product to avoid an improper neutralization of special elements used in an OS command vulnerability in its Asterisk GUI because the software is no longer maintained, according to a report with ICS-CERT.

A framework for configuring graphical user interfaces, Asterisk GUI 2.1.0 and prior suffer from the remotely exploitable vulnerability, discovered by Davy Douhine of RandoriSec.

RELATED STORIES
Update for iniNet’s SCADA Webserver
Saia Burgess Fixes PCD Controllers
Fix is in for mGuard Device Manager
LOYTEC Mitigates Multiple HMI Holes

Successful exploitation of this vulnerability could cause an authenticated attacker to execute arbitrary code on the device.

No known public exploits specifically target this vulnerability. However, an attacker with low skill level could exploit the vulnerability.

An OS command injection vulnerability has been identified that may allow the execution of arbitrary code on the system through the inclusion of OS commands in the URL request of the program.

CVE-2017-14001 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.

The product sees use mainly in the commercial facilities, communications, and critical manufacturing sectors. It also sees action on a global basis.

Asterisk GUI is no longer maintained and should not be used. Digium recommended affected users to migrate to Alabama-based Digium’s SwitchVox product.



Leave a Reply

You must be logged in to post a comment.