製品・ソフトウェアに関する情報

JVN脆弱性詳細

複数の Asterisk 製品の main/manager.c における任意のコマンドを実行される脆弱性

Title	複数の Asterisk 製品の main/manager.c における任意のコマンドを実行される脆弱性
Summary	複数の Asterisk 製品の main/manager.c には、不完全なブラックリストにより、任意のコマンドを実行される脆弱性が存在します。
Possible impacts	リモート認証されたユーザにより、送信 (originate) 権限および AMI Originate アクション内の ExternalIVR 値を利用されることで、任意のコマンドを実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Aug. 30, 2012, midnight
Registration Date	Sept. 3, 2012, 3:35 p.m.
Last Update	Nov. 8, 2012, 5:49 p.m.

CVSS2.0 : 危険
Score	9
Vector	AV:N/AC:L/Au:S/C:C/I:C/A:C

Affected System

Digium

Asterisk Business Edition C.3.7.6 未満の C.3.x

Asterisk Open Source 1.8.15.1 未満の 1.8.x

Asterisk Open Source 10.7.1 未満の 10.x

Asterisk with Digiumphones 10.7.1-digiumphones 未満の 10.x.x-digiumphones

Certified Asterisk 1.8.11-cert6 未満の 1.8.11

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2012-2186	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2186
National Vulnerability Database (NVD)
2	CVE-2012-2186	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2186

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-nocwe	https://www.ipa.go.jp/security/vuln/CWE.html#CWEnocwe

ベンダー情報

No	Name	URL
Asterisk Project Security Advisory
1	AST-2012-012	http://downloads.asterisk.org/pub/security/AST-2012-012.html
Debian Security Advisory
2	DSA-2550	http://www.debian.org/security/2012/dsa-2550

Change Log

No	Changed Details	Date of change
0	[2012年09月03日] 掲載 [2012年11月08日] ベンダ情報：Debian (DSA-2550) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2012-2186

Summary	Incomplete blacklist vulnerability in main/manager.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert6, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 allows remote authenticated users to execute arbitrary commands by leveraging originate privileges and providing an ExternalIVR value in an AMI Originate action.
Publication Date	Aug. 31, 2012, 11:55 p.m.
Registration Date	Jan. 28, 2021, 2:57 p.m.
Last Update	Nov. 21, 2024, 10:38 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:asterisk:open_source:1.8.10.0:rc1::::::
cpe:2.3:a:asterisk:open_source:1.8.0:beta1::::::
cpe:2.3:a:asterisk:open_source:1.8.3:::::::*
cpe:2.3:a:asterisk:open_source:1.8.8.1:::::::*
cpe:2.3:a:asterisk:open_source:1.8.1:rc1::::::
cpe:2.3:a:asterisk:open_source:1.8.0:rc2::::::
cpe:2.3:a:asterisk:open_source:1.8.9.0:rc1::::::
cpe:2.3:a:asterisk:open_source:1.8.10.0:rc2::::::
cpe:2.3:a:asterisk:open_source:1.8.0:rc3::::::
cpe:2.3:a:asterisk:open_source:1.8.8.0:rc4::::::
cpe:2.3:a:asterisk:open_source:1.8.0:beta2::::::
cpe:2.3:a:asterisk:open_source:1.8.4.4:::::::*
cpe:2.3:a:asterisk:open_source:1.8.8.0:rc3::::::
cpe:2.3:a:asterisk:open_source:1.8.11.0:::::::*
cpe:2.3:a:asterisk:open_source:1.8.3:rc3::::::
cpe:2.3:a:asterisk:open_source:1.8.11.0:rc3::::::
cpe:2.3:a:asterisk:open_source:1.8.2.3:::::::*
cpe:2.3:a:asterisk:open_source:1.8.0:rc1::::::
cpe:2.3:a:asterisk:open_source:1.8.9.0:rc2::::::
cpe:2.3:a:asterisk:open_source:1.8.7.2:::::::*
cpe:2.3:a:asterisk:open_source:1.8.9.2:::::::*
cpe:2.3:a:asterisk:open_source:1.8.0:beta3::::::
cpe:2.3:a:asterisk:open_source:1.8.4:rc1::::::
cpe:2.3:a:asterisk:open_source:1.8.9.3:::::::*
cpe:2.3:a:asterisk:open_source:1.8.12.0:rc3::::::
cpe:2.3:a:asterisk:open_source:1.8.6.0:rc3::::::
cpe:2.3:a:asterisk:open_source:1.8.6.0:rc2::::::
cpe:2.3:a:asterisk:open_source:1.8.7.0:rc2::::::
cpe:2.3:a:asterisk:open_source:1.8.10.0:rc3::::::
cpe:2.3:a:asterisk:open_source:1.8.3:rc2::::::
cpe:2.3:a:asterisk:open_source:1.8.3.3:::::::*
cpe:2.3:a:asterisk:open_source:1.8.8.0:rc1::::::
cpe:2.3:a:asterisk:open_source:1.8.6.0:::::::*
cpe:2.3:a:asterisk:open_source:1.8.12.0:::::::*
cpe:2.3:a:asterisk:open_source:1.8.8.0:rc2::::::
cpe:2.3:a:asterisk:open_source:1.8.4.3:::::::*
cpe:2.3:a:asterisk:open_source:1.8.5.0:::::::*
cpe:2.3:a:asterisk:open_source:1.8.4.2:::::::*
cpe:2.3:a:asterisk:open_source:1.8.9.0:rc3::::::
cpe:2.3:a:asterisk:open_source:1.8.12:::::::*
cpe:2.3:a:asterisk:open_source:1.8.12.0:rc2::::::
cpe:2.3:a:asterisk:open_source:1.8.7.0:::::::*
cpe:2.3:a:asterisk:open_source:1.8.2.4:::::::*
cpe:2.3:a:asterisk:open_source:1.8.4.1:::::::*
cpe:2.3:a:asterisk:open_source:1.8.2:::::::*
cpe:2.3:a:asterisk:open_source:1.8.1.2:::::::*
cpe:2.3:a:asterisk:open_source:1.8.0:::::::*
cpe:2.3:a:asterisk:open_source:1.8.3:rc1::::::
cpe:2.3:a:asterisk:open_source:1.8.10.0:::::::*
cpe:2.3:a:asterisk:open_source:1.8.2.1:::::::*
cpe:2.3:a:asterisk:open_source:1.8.8.0:::::::*
cpe:2.3:a:asterisk:open_source:1.8.7.1:::::::*
cpe:2.3:a:asterisk:open_source:1.8.11.1:::::::*
cpe:2.3:a:asterisk:open_source:1.8.1.1:::::::*
cpe:2.3:a:asterisk:open_source:1.8.11.0:rc2::::::
cpe:2.3:a:asterisk:open_source:1.8.7.0:rc1::::::
cpe:2.3:a:asterisk:open_source:1.8.0:beta4::::::
cpe:2.3:a:asterisk:open_source:1.8.8.0:rc5::::::
cpe:2.3:a:asterisk:open_source:1.8.0:rc4::::::
cpe:2.3:a:asterisk:open_source:1.8.4:rc3::::::
cpe:2.3:a:asterisk:open_source:1.8.4:rc2::::::
cpe:2.3:a:asterisk:open_source:1.8.0:rc5::::::
cpe:2.3:a:asterisk:open_source:1.8.1:::::::*
cpe:2.3:a:asterisk:open_source:1.8.9.1:::::::*
cpe:2.3:a:asterisk:open_source:1.8.6.0:rc1::::::
cpe:2.3:a:asterisk:open_source:1.8.10.1:::::::*
cpe:2.3:a:asterisk:open_source:1.8.3.1:::::::*
cpe:2.3:a:asterisk:open_source:1.8.7:::::::*
cpe:2.3:a:asterisk:open_source:1.8.9.0:::::::*
cpe:2.3:a:asterisk:open_source:1.8.2:rc1::::::
cpe:2.3:a:asterisk:open_source:1.8.10.0:rc4::::::
cpe:2.3:a:asterisk:open_source:1.8.4:::::::*
cpe:2.3:a:asterisk:open_source:1.8.3.2:::::::*
cpe:2.3:a:asterisk:open_source:1.8.12.0:rc1::::::
cpe:2.3:a:asterisk:open_source:1.8.5:rc1::::::
cpe:2.3:a:asterisk:open_source:1.8.2.2:::::::*
cpe:2.3:a:asterisk:open_source:1.8.0:beta5::::::
cpe:2.3:a:asterisk:open_source:1.8.8.2:::::::*
cpe:2.3:a:sangoma:asterisk::::::::		1.8.15.0

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:asterisk:open_source:10.2.0:rc2::::::
cpe:2.3:a:asterisk:open_source:10.3.0:::::::*
cpe:2.3:a:asterisk:open_source:10.2.0:rc1::::::
cpe:2.3:a:asterisk:open_source:10.4.0:rc3::::::
cpe:2.3:a:asterisk:open_source:10.3:::::::*
cpe:2.3:a:asterisk:open_source:10.3.0:rc3::::::
cpe:2.3:a:asterisk:open_source:10.1.0:::::::*
cpe:2.3:a:asterisk:open_source:10.2.1:::::::*
cpe:2.3:a:asterisk:open_source:10.2.0:rc4::::::
cpe:2.3:a:asterisk:open_source:10.3.1:::::::*
cpe:2.3:a:asterisk:open_source:10.3.0:rc2::::::
cpe:2.3:a:asterisk:open_source:10.4.0:rc1::::::
cpe:2.3:a:asterisk:open_source:10.1.0:rc1::::::
cpe:2.3:a:asterisk:open_source:10.4.0:::::::*
cpe:2.3:a:asterisk:open_source:10.0.0:::::::*
cpe:2.3:a:asterisk:open_source:10.2.0:rc3::::::
cpe:2.3:a:asterisk:open_source:10.1.1:::::::*
cpe:2.3:a:asterisk:open_source:10.0.0:beta1::::::
cpe:2.3:a:asterisk:open_source:10.2.0:::::::*
cpe:2.3:a:asterisk:open_source:10.0.0:rc2::::::
cpe:2.3:a:asterisk:open_source:10.1.2:::::::*
cpe:2.3:a:asterisk:open_source:10.0.0:rc3::::::
cpe:2.3:a:asterisk:open_source:10.1.0:rc2::::::
cpe:2.3:a:asterisk:open_source:10.0.1:::::::*
cpe:2.3:a:asterisk:open_source:10.0.0:rc1::::::
cpe:2.3:a:asterisk:open_source:10.1.3:::::::*
cpe:2.3:a:asterisk:open_source:10.4.0:rc2::::::
cpe:2.3:a:asterisk:open_source:10.0.0:beta2::::::
cpe:2.3:a:sangoma:asterisk::::::::		10.7.0

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:asterisk:certified_asterisk:1.8.11:cert3::::::
cpe:2.3:a:asterisk:certified_asterisk:1.8.11:cert::::::
cpe:2.3:a:asterisk:certified_asterisk:1.8.11:cert2::::::
cpe:2.3:a:asterisk:certified_asterisk::cert5::::::*		1.8.11
cpe:2.3:a:asterisk:certified_asterisk:1.8.11:cert1::::::
cpe:2.3:a:asterisk:certified_asterisk:1.8.11:cert4::::::

Configuration4		or higher	or less	more than	less than
cpe:2.3:a:asterisk:digiumphones::::::::			10.7.0

Configuration5	or higher	or less	more than	less than
cpe:2.3:a:asterisk:business_edition:c.3.0:::::::*
cpe:2.3:a:asterisk:business_edition::::::::		c.3.7.5

Related information, measures and tools

No	URL	タグ
1	http://downloads.asterisk.org/pub/security/AST-2012-012.html	Patch Vendor Advisory
2	http://downloads.asterisk.org/pub/security/AST-2012-012.html	Patch Vendor Advisory
3	http://secunia.com/advisories/50687
4	http://secunia.com/advisories/50687
5	http://secunia.com/advisories/50756
6	http://secunia.com/advisories/50756
7	http://www.debian.org/security/2012/dsa-2550
8	http://www.debian.org/security/2012/dsa-2550
9	http://www.securitytracker.com/id?1027460
10	http://www.securitytracker.com/id?1027460

Common Vulnerabilities List

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:asterisk:open_source:1.8.10.0:rc1::::::
cpe:2.3:a:asterisk:open_source:1.8.0:beta1::::::
cpe:2.3:a:asterisk:open_source:1.8.3:::::::*
cpe:2.3:a:asterisk:open_source:1.8.8.1:::::::*
cpe:2.3:a:asterisk:open_source:1.8.1:rc1::::::
cpe:2.3:a:asterisk:open_source:1.8.0:rc2::::::
cpe:2.3:a:asterisk:open_source:1.8.9.0:rc1::::::
cpe:2.3:a:asterisk:open_source:1.8.10.0:rc2::::::
cpe:2.3:a:asterisk:open_source:1.8.0:rc3::::::
cpe:2.3:a:asterisk:open_source:1.8.8.0:rc4::::::
cpe:2.3:a:asterisk:open_source:1.8.0:beta2::::::
cpe:2.3:a:asterisk:open_source:1.8.4.4:::::::*
cpe:2.3:a:asterisk:open_source:1.8.8.0:rc3::::::
cpe:2.3:a:asterisk:open_source:1.8.11.0:::::::*
cpe:2.3:a:asterisk:open_source:1.8.3:rc3::::::
cpe:2.3:a:asterisk:open_source:1.8.11.0:rc3::::::
cpe:2.3:a:asterisk:open_source:1.8.2.3:::::::*
cpe:2.3:a:asterisk:open_source:1.8.0:rc1::::::
cpe:2.3:a:asterisk:open_source:1.8.9.0:rc2::::::
cpe:2.3:a:asterisk:open_source:1.8.7.2:::::::*
cpe:2.3:a:asterisk:open_source:1.8.9.2:::::::*
cpe:2.3:a:asterisk:open_source:1.8.0:beta3::::::
cpe:2.3:a:asterisk:open_source:1.8.4:rc1::::::
cpe:2.3:a:asterisk:open_source:1.8.9.3:::::::*
cpe:2.3:a:asterisk:open_source:1.8.12.0:rc3::::::
cpe:2.3:a:asterisk:open_source:1.8.6.0:rc3::::::
cpe:2.3:a:asterisk:open_source:1.8.6.0:rc2::::::
cpe:2.3:a:asterisk:open_source:1.8.7.0:rc2::::::
cpe:2.3:a:asterisk:open_source:1.8.10.0:rc3::::::
cpe:2.3:a:asterisk:open_source:1.8.3:rc2::::::
cpe:2.3:a:asterisk:open_source:1.8.3.3:::::::*
cpe:2.3:a:asterisk:open_source:1.8.8.0:rc1::::::
cpe:2.3:a:asterisk:open_source:1.8.6.0:::::::*
cpe:2.3:a:asterisk:open_source:1.8.12.0:::::::*
cpe:2.3:a:asterisk:open_source:1.8.8.0:rc2::::::
cpe:2.3:a:asterisk:open_source:1.8.4.3:::::::*
cpe:2.3:a:asterisk:open_source:1.8.5.0:::::::*
cpe:2.3:a:asterisk:open_source:1.8.4.2:::::::*
cpe:2.3:a:asterisk:open_source:1.8.9.0:rc3::::::
cpe:2.3:a:asterisk:open_source:1.8.12:::::::*
cpe:2.3:a:asterisk:open_source:1.8.12.0:rc2::::::
cpe:2.3:a:asterisk:open_source:1.8.7.0:::::::*
cpe:2.3:a:asterisk:open_source:1.8.2.4:::::::*
cpe:2.3:a:asterisk:open_source:1.8.4.1:::::::*
cpe:2.3:a:asterisk:open_source:1.8.2:::::::*
cpe:2.3:a:asterisk:open_source:1.8.1.2:::::::*
cpe:2.3:a:asterisk:open_source:1.8.0:::::::*
cpe:2.3:a:asterisk:open_source:1.8.3:rc1::::::
cpe:2.3:a:asterisk:open_source:1.8.10.0:::::::*
cpe:2.3:a:asterisk:open_source:1.8.2.1:::::::*
cpe:2.3:a:asterisk:open_source:1.8.8.0:::::::*
cpe:2.3:a:asterisk:open_source:1.8.7.1:::::::*
cpe:2.3:a:asterisk:open_source:1.8.11.1:::::::*
cpe:2.3:a:asterisk:open_source:1.8.1.1:::::::*
cpe:2.3:a:asterisk:open_source:1.8.11.0:rc2::::::
cpe:2.3:a:asterisk:open_source:1.8.7.0:rc1::::::
cpe:2.3:a:asterisk:open_source:1.8.0:beta4::::::
cpe:2.3:a:asterisk:open_source:1.8.8.0:rc5::::::
cpe:2.3:a:asterisk:open_source:1.8.0:rc4::::::
cpe:2.3:a:asterisk:open_source:1.8.4:rc3::::::
cpe:2.3:a:asterisk:open_source:1.8.4:rc2::::::
cpe:2.3:a:asterisk:open_source:1.8.0:rc5::::::
cpe:2.3:a:asterisk:open_source:1.8.1:::::::*
cpe:2.3:a:asterisk:open_source:1.8.9.1:::::::*
cpe:2.3:a:asterisk:open_source:1.8.6.0:rc1::::::
cpe:2.3:a:asterisk:open_source:1.8.10.1:::::::*
cpe:2.3:a:asterisk:open_source:1.8.3.1:::::::*
cpe:2.3:a:asterisk:open_source:1.8.7:::::::*
cpe:2.3:a:asterisk:open_source:1.8.9.0:::::::*
cpe:2.3:a:asterisk:open_source:1.8.2:rc1::::::
cpe:2.3:a:asterisk:open_source:1.8.10.0:rc4::::::
cpe:2.3:a:asterisk:open_source:1.8.4:::::::*
cpe:2.3:a:asterisk:open_source:1.8.3.2:::::::*
cpe:2.3:a:asterisk:open_source:1.8.12.0:rc1::::::
cpe:2.3:a:asterisk:open_source:1.8.5:rc1::::::
cpe:2.3:a:asterisk:open_source:1.8.2.2:::::::*
cpe:2.3:a:asterisk:open_source:1.8.0:beta5::::::
cpe:2.3:a:asterisk:open_source:1.8.8.2:::::::*
cpe:2.3:a:sangoma:asterisk::::::::		1.8.15.0

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:asterisk:open_source:10.2.0:rc2::::::
cpe:2.3:a:asterisk:open_source:10.3.0:::::::*
cpe:2.3:a:asterisk:open_source:10.2.0:rc1::::::
cpe:2.3:a:asterisk:open_source:10.4.0:rc3::::::
cpe:2.3:a:asterisk:open_source:10.3:::::::*
cpe:2.3:a:asterisk:open_source:10.3.0:rc3::::::
cpe:2.3:a:asterisk:open_source:10.1.0:::::::*
cpe:2.3:a:asterisk:open_source:10.2.1:::::::*
cpe:2.3:a:asterisk:open_source:10.2.0:rc4::::::
cpe:2.3:a:asterisk:open_source:10.3.1:::::::*
cpe:2.3:a:asterisk:open_source:10.3.0:rc2::::::
cpe:2.3:a:asterisk:open_source:10.4.0:rc1::::::
cpe:2.3:a:asterisk:open_source:10.1.0:rc1::::::
cpe:2.3:a:asterisk:open_source:10.4.0:::::::*
cpe:2.3:a:asterisk:open_source:10.0.0:::::::*
cpe:2.3:a:asterisk:open_source:10.2.0:rc3::::::
cpe:2.3:a:asterisk:open_source:10.1.1:::::::*
cpe:2.3:a:asterisk:open_source:10.0.0:beta1::::::
cpe:2.3:a:asterisk:open_source:10.2.0:::::::*
cpe:2.3:a:asterisk:open_source:10.0.0:rc2::::::
cpe:2.3:a:asterisk:open_source:10.1.2:::::::*
cpe:2.3:a:asterisk:open_source:10.0.0:rc3::::::
cpe:2.3:a:asterisk:open_source:10.1.0:rc2::::::
cpe:2.3:a:asterisk:open_source:10.0.1:::::::*
cpe:2.3:a:asterisk:open_source:10.0.0:rc1::::::
cpe:2.3:a:asterisk:open_source:10.1.3:::::::*
cpe:2.3:a:asterisk:open_source:10.4.0:rc2::::::
cpe:2.3:a:asterisk:open_source:10.0.0:beta2::::::
cpe:2.3:a:sangoma:asterisk::::::::		10.7.0