Abstract
Last summer during a pentest for a client we came across a product made by an international provider of intercom systems which uses the very popular Asterisk communication software and found a trivial remote command execution vulnerability in its latest GUI (2.1.0).
This product is used in many very sensitive environments like prisons and official buildings.
We’ve choose to “responsible disclose” them, directly to Digium and the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team). Unfortunately it won’t be patched as the product is no longer maintained by Digium (https://wiki.asterisk.org/wiki/display/AST/Asterisk+GUI).
ICS-CERT has released an advisory and a CVE (CVE-2017-14001) has been assigned.
Many thanks to Digium and the ICS-CERT teams.
Advisory
“(…) Successful exploitation of this vulnerability could cause an authenticated attacker to execute arbitrary code on the device. (…)”.
https://ics-cert.us-cert.gov/advisories/ICSA-17-264-03
Mitigation
Asterisk GUI is no longer maintained and should not be used. Digium recommends affected users to migrate to Digium’s SwitchVox product.
As the GUI is open source code it could be patched by the resellers if they can’t migrate easily.
If not it is advised to avoid using default/weak credentials on Asterisk GUI and don’t expose it on Internet and unsafe networks.
In the wild
Searchs in Google or Shodan for “Server: Asterisk” on tcp ports 80,443,8080,8088,8089 give a few hundreds results.
Timeline
2017/09/05 First mail sent to security@asterisk.org
2017/09/06 Answer received: “I’ve looked over the code in question and it is still applicable (…)As the project isn’t maintained anymore we won’t be fixing and releasing an updated version ourselves.”
2017/09/06 Mail sent to security@asterisk.org to ask a link to the affected code
2017/09/06 Answer received with links
2017/09/06 Full report (this document) sent to ICS-CERT
2017/09/21 ICS-CERT advisory is released