FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

asterisk -- Unauthorized data disclosure and shell access command injection in app_minivm

Affected packages
asterisk11 < 11.25.2
asterisk13 < 13.17.1


VuXML ID c599f95c-8ee5-11e7-8be8-001999f8d30b
Discovery 2017-08-31
Entry 2017-09-01

The Asterisk project reports:

AST-2017-005 - A change was made to the strict RTP support in the RTP stack to better tolerate late media when a reinvite occurs. When combined with the symmetric RTP support this introduced an avenue where media could be hijacked. Instead of only learning a new address when expected the new code allowed a new source address to be learned at all times.

AST-2017-006 - The app_minivm module has an "externnotify" program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection.


CVE Name CVE-2017-14099
CVE Name CVE-2017-14100