// For flags

CVE-2024-42365

Asterisk allows `Write=originate` as sufficient permissions for code execution / `System()` dialplan

Severity Score

7.4
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

Asterisk is an open source private branch exchange (PBX) and telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with `write=originate` may change all configuration files in the `/etc/asterisk/` directory. This occurs because they are able to curl remote files and write them to disk, but are also able to append to existing files using the `FILE` function inside the `SET` application. This issue may result in privilege escalation, remote code execution and/or blind server-side request forgery with arbitrary protocol. Asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2 contain a fix for this issue.

On Asterisk, prior to versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with write=originate may change all configuration files in the /etc/asterisk/ directory. Writing a new extension can be created which performs a system command to achieve RCE as the asterisk service user (typically asterisk). Default parking lot in FreePBX is called "Default lot" on the website interface, however its actually parkedcalls. Tested against Asterisk 19.8.0 and 18.16.0 on Freepbx SNG7-PBX16-64bit-2302-1.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
Poc
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-07-30 CVE Reserved
  • 2024-08-08 CVE Published
  • 2024-08-12 CVE Updated
  • 2024-12-03 First Exploit
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-267: Privilege Defined With Unsafe Actions
  • CWE-1220: Insufficient Granularity of Access Control
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Asterisk
Search vendor "Asterisk"
 Asterisk
Search vendor "Asterisk" for product "Asterisk"
 < 18.24.2
Search vendor "Asterisk" for product "Asterisk" and version " < 18.24.2"
en
Affected
Asterisk
Search vendor "Asterisk"
 Asterisk
Search vendor "Asterisk" for product "Asterisk"
 >= 19.0.0 < 20.9.2
Search vendor "Asterisk" for product "Asterisk" and version " >= 19.0.0 < 20.9.2"
en
Affected
Asterisk
Search vendor "Asterisk"
 Asterisk
Search vendor "Asterisk" for product "Asterisk"
 >= 21.0.0 < 21.4.2
Search vendor "Asterisk" for product "Asterisk" and version " >= 21.0.0 < 21.4.2"
en
Affected
Asterisk
Search vendor "Asterisk"
 Asterisk
Search vendor "Asterisk" for product "Asterisk"
 < 18.9
Search vendor "Asterisk" for product "Asterisk" and version " < 18.9"
en
Affected
Asterisk
Search vendor "Asterisk"
 Asterisk
Search vendor "Asterisk" for product "Asterisk"
 >= 19.0 < 20.7
Search vendor "Asterisk" for product "Asterisk" and version " >= 19.0 < 20.7"
en
Affected