An issue was discovered in manager.c in Sangoma Asterisk through 13.x, 16.x, 17.x and Certified Asterisk 13.21 through 13.21-cert4. A remote authenticated Asterisk Manager Interface (AMI) user without system authorization could use a specially crafted Originate AMI request to execute arbitrary system commands.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - An issue was discovered in manager.c in Sangoma Asterisk through 13.x, 16.x, 17.x and Certified Asterisk     13.21 through 13.21-cert4. A remote authenticated Asterisk Manager Interface (AMI) user without system     authorization could use a specially crafted Originate AMI request to execute arbitrary system commands.
    (CVE-2019-18610)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2969 advisory.

    Brief introduction CVE-2019-13161 Description CVE-2019-18610 Description CVE-2019-18790 Description     CVE-2019-18976 Description CVE-2020-28242 Description For Debian 9 stretch, these problems have been fixed     in version 1:13.14.1~dfsg-2+deb9u6. We recommend that you upgrade your asterisk packages. For the detailed     security status of asterisk please refer to its security tracker page at: https://security-     tracker.debian.org/tracker/asterisk Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Asterisk project reports :

A remote authenticated Asterisk Manager Interface (AMI) user without system authorization could use a specially crafted Originate AMI request to execute arbitrary system commands.

ID	Name	Product	Family	Severity
252387	Linux Distros Unpatched Vulnerability : CVE-2019-18610	Nessus	Misc.	high
159473	Debian DLA-2969-1 : asterisk - LTS security update	Nessus	Debian Local Security Checks	high
131260	FreeBSD : asterisk -- AMI user could execute system commands (49b61ab6-0d04-11ea-87ca-001999f8d30b)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2019-18610

high

Tenable Plugins

high

high

high