Digium Asterisk GUI

Plan Patch8.8ICS-CERT ICSA-17-264-03Sep 21, 2017

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Asterisk GUI versions 2.1.0 and prior contain an OS command injection vulnerability (CWE-78) in the web management interface that allows authenticated users to execute arbitrary system commands with elevated privileges. The vulnerability is remotely exploitable with low skill requirements. CVSS score is 8.8 (high severity) with network vector, low attack complexity, and requires low privileges (authenticated user).

What this means

What could happen

An authenticated attacker could execute arbitrary commands on systems running Asterisk GUI, potentially disrupting VoIP phone system operations or gaining access to call data and system configuration.

Who's at risk

Organizations using Asterisk GUI for VoIP phone system management should be concerned. This affects telephone/voice communication systems in any industry that relies on Asterisk-based PBX deployments, including utilities, healthcare, and office environments.

How it could be exploited

An attacker with valid login credentials to the Asterisk GUI web interface could inject operating system commands through the GUI that are executed with system privileges. The attack requires network access to the GUI port and valid credentials, but exploitation is straightforward once those are obtained.

Prerequisites

Network access to Asterisk GUI web interface (typically port 80/443)
Valid Asterisk GUI user credentials
Asterisk GUI version 2.1.0 or earlier

remotely exploitableno patch availablelow complexity exploitationproduct end-of-life

Exploitability

Moderate exploit probability (EPSS 1.7%)

Affected products (1)

ProductAffected VersionsFix Status

Asterisk GUI: 2.1.0 and prior≤ 2.1.0No fix (EOL)

Remediation & Mitigation

0/3

Do now

0/2

WORKAROUNDRestrict network access to Asterisk GUI to trusted management workstations only using firewall rules

WORKAROUNDDisable or deactivate Asterisk GUI if not actively required for operations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXMigrate away from Asterisk GUI to a maintained alternative such as Digium SwitchVox

CVEs (1)

CVE-2017-14001

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/26f64917-01ab-45be-a5c7-108a555dda19