Digium Asterisk Manager Command Execution (May 17, 2012)

Asterisk is a software implementation of a telephone private branch exchange (PBX). Like any PBX, it allows attached telephones to make calls to one another, and to connect to other telephone services including the public switched telephone network (PSTN) and Voice over Internet Protocol (VoIP) services. Asterisk is released under a dual license model, using the GNU General Public License (GPL) as a free software license and a proprietary software license to permit licensees to distribute proprietary, unpublished system components.

Asterisk supports a wide range of video and Voice over IP protocols, including the Session Initiation Protocol (SIP), the Media Gateway Control Protocol (MGCP), and H.323. Asterisk can interoperate with most SIP telephones, acting both as registrar and as a gateway between IP phones and the PSTN.

The Asterisk Manager Interface (AMI) protocol is a very simple protocol that allows you to communicate and manage your asterisk server, almost completely. The Asterisk Manager Interface (AMI) allows a client program to connect to an Asterisk instance and issue commands or read events over a TCP/IP stream. AMI defines 3 kind of possible packets:

• Actions: This kind of packet is what the client sends. Only the client can generate Actions.
• Responses: Actions have at least one Response, indicating the result of the executed (or requested) action.
• Events: There are two kinds of events. The ones attached to a particular response for a particular action, and the ones that asterisk generate to inform the connected client about things that are happening in the server (like call events, changes in variables values, agents and other clients that connect/disconnect to/from the server, etc).

A typical action is the Login action, which looks like this: (CRLF presents carriage return and new line characters)

 	Action: Login[CRLF] 	Username: admin[CRLF] 	Secret: mysecret[CRLF] 	ActionId: 1a2b[CRLF] 	[CRLF] 

A security bypass vulnerability exists in Digium Asterisk. If Asterisk receives a specially crafted action request from a user, it may allow the unauthorized user to execute administrator commands. A remote, authenticated attacker could exploit this vulnerability to crack into a vulnerable Asterisk server.

Dell SonicWALL UTM team has researched this vulnerability and released the following IPS signatures to detect the attacks addressing this issue.

• 7839 Digium Asterisk Manager Interface Remote Command Execution

This vulnerability has been referred by CVE as CVE-2012-2414.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.