CVE-2017-14100 in Asterisk
Summary
by MITRE
In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized command execution is possible. The app_minivm module has an "externnotify" program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/17/2019
The vulnerability identified as CVE-2017-14100 represents a critical command injection flaw within the Asterisk telephony platform that affects multiple version branches including 11.x, 13.x, and 14.x releases. This vulnerability specifically targets the app_minivm module which handles voicemail notifications and operates through the MinivmNotify dialplan application. The flaw stems from improper input validation and sanitization of caller-id information, creating an avenue for remote attackers to execute arbitrary commands on the affected system. The vulnerability is classified under CWE-78 as a failure to prevent shell injection, which is a well-documented weakness in software systems that process untrusted input through shell commands. The attack vector is particularly concerning because it requires minimal privileges to exploit, as the malicious input can originate from any source that can make a call to the system, making it accessible to attackers who can simply craft specially formatted caller-id information to trigger the vulnerability.
The technical implementation of this vulnerability occurs when the MinivmNotify application processes voicemail notifications and incorporates caller-id name and number directly into a shell command string without proper sanitization. The system constructs a command string by concatenating the caller-id information with predefined shell commands, and when this constructed string is executed through the operating system shell, it allows attackers to inject malicious commands that will be interpreted and executed with the privileges of the Asterisk process. This type of vulnerability falls under the ATT&CK framework's technique T1059.001 for command and scripting interpreter, specifically shell scripting, where adversaries execute commands through shell environments. The vulnerability is particularly dangerous because the Asterisk process typically runs with elevated privileges, meaning successful exploitation could lead to full system compromise and unauthorized access to the entire telephony infrastructure.
The operational impact of this vulnerability extends beyond simple command execution, potentially allowing attackers to gain complete control over the affected Asterisk system and its underlying infrastructure. Attackers could leverage this vulnerability to install backdoors, exfiltrate sensitive telephony data, disrupt services, or use the compromised system as a pivot point for attacking other network resources. The vulnerability affects organizations that rely on Asterisk for voice communications, including businesses, telecommunications providers, and enterprises with VoIP infrastructure, making it a significant concern for any organization operating these telephony systems. The risk is compounded by the fact that the vulnerability exists across multiple version branches, requiring organizations to assess and update their systems across all affected releases. The attack requires minimal sophistication and can be automated, making it particularly attractive to threat actors seeking to exploit telephony systems for unauthorized access or disruption.
Mitigation strategies for CVE-2017-14100 should focus on immediate patching of all affected Asterisk versions, with particular attention to the certified releases that also require updates. Organizations should implement network segmentation to limit access to Asterisk systems and restrict the ability of external parties to make calls that could trigger the vulnerability. Input validation and sanitization measures should be implemented at the application level to prevent untrusted data from being processed through shell commands, and organizations should consider implementing proper access controls and monitoring for unusual command execution patterns. The vulnerability demonstrates the importance of following secure coding practices and adhering to principles such as input validation, privilege separation, and defense in depth. Security teams should also implement regular vulnerability assessments and penetration testing of telephony infrastructure to identify and remediate similar weaknesses. Additionally, organizations should establish incident response procedures specifically for telephony system compromises and maintain detailed logs of all telephony activities to facilitate forensic analysis in case of exploitation.