CVE-2010-0685 in Asterisk
Summary
by MITRE
The design of the dialplan functionality in Asterisk Open Source 1.2.x, 1.4.x, and 1.6.x; and Asterisk Business Edition B.x.x and C.x.x, when using the ${EXTEN} channel variable and wildcard pattern matches, allows context-dependent attackers to inject strings into the dialplan using metacharacters that are injected when the variable is expanded, as demonstrated using the Dial application to process a crafted SIP INVITE message that adds an unintended outgoing channel leg. NOTE: it could be argued that this is not a vulnerability in Asterisk, but a class of vulnerabilities that can occur in any program that uses this feature without the associated filtering functionality that is already available.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/01/2026
The vulnerability described in CVE-2010-0685 represents a critical security flaw in the dialplan functionality of Asterisk telephony systems, affecting multiple versions including 1.2.x, 1.4.x, 1.6.x, and various Business Edition releases. This issue specifically targets the handling of the ${EXTEN} channel variable within dialplan contexts, where wildcard pattern matching is employed to process incoming SIP INVITE messages. The flaw occurs when the system fails to properly sanitize user-supplied input that gets expanded into the dialplan, creating a potential injection vector that can be exploited by context-dependent attackers.
The technical implementation of this vulnerability stems from the improper handling of metacharacters within the ${EXTEN} variable expansion process. When Asterisk processes a crafted SIP INVITE message, the system's dialplan evaluation mechanism allows maliciously constructed extension numbers to contain special characters that are interpreted as command delimiters or injection points. This occurs because the dialplan engine does not adequately filter or escape these metacharacters before incorporating them into the execution context, particularly when using the Dial application to establish new channel legs. The vulnerability is classified under CWE-74 as "Improper Neutralization of Special Elements in Output Used by a Downstream Component" and demonstrates characteristics consistent with CWE-94, "Improper Control of Generation of Code ('Code Injection')", since the injected strings can potentially execute arbitrary commands within the dialplan context.
The operational impact of this vulnerability extends beyond simple injection attacks, as it enables attackers to manipulate the telephony system's behavior in potentially severe ways. An attacker could craft SIP INVITE messages that, when processed through the vulnerable dialplan functionality, result in unintended channel creation, unauthorized call routing, or even privilege escalation within the telephony environment. The attack vector specifically targets the Dial application, which is fundamental to telephony operations, making the potential damage significant for organizations relying on Asterisk for their communication infrastructure. This vulnerability effectively allows an attacker to bypass normal dialplan security controls and inject malicious dialplan instructions that could redirect calls, access restricted services, or establish unauthorized communication paths.
The exploitation of this vulnerability demonstrates the broader class of issues that arise when applications fail to properly validate and sanitize user input in contexts where that input is subsequently processed as code or configuration data. This aligns with ATT&CK technique T1059.007, "Command and Scripting Interpreter: Python", as the injection can potentially lead to arbitrary code execution within the telephony environment, though in this case the execution occurs through dialplan processing rather than traditional scripting. The vulnerability highlights the critical importance of input validation and sanitization in telephony systems, particularly those that process user-supplied data through configuration mechanisms. Organizations should recognize that while this specific issue affects Asterisk, it represents a fundamental design pattern that could exist in any system where user input is expanded into execution contexts without proper filtering mechanisms. The suggested mitigations include implementing strict input validation for extension numbers, applying proper escaping of special characters in dialplan contexts, and ensuring that all user-supplied data undergoes appropriate sanitization before being processed by the dialplan evaluation engine.