CVE-2024-57520
Published: 05 February 2025
Description
Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function. NOTE: this is disputed by the Supplier because the impact is limited to creating empty files outside of the Asterisk product directory (aka directory traversal) and the attack can only be performed by a privileged user who has the ability to manage the configuration.
Security Summary
CVE-2024-57520 is an insecure permissions vulnerability (CWE-732) affecting Asterisk version 22, specifically in the action_createconfig function. The issue has been reported to enable a remote attacker to execute arbitrary code. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with network accessibility, low complexity, and no required privileges or user interaction.
The attack scenario involves a remote attacker exploiting the vulnerability remotely. According to the reporter, this allows arbitrary code execution, while the supplier disputes this, stating the impact is limited to directory traversal that creates empty files outside the Asterisk product directory. The supplier further notes that exploitation requires a privileged user with the ability to manage the configuration.
Advisories reference a GitHub issue (https://github.com/asterisk/asterisk/issues/1122) where the supplier disputes the severity and a Gist (https://gist.github.com/hyp164D1/ae76ab25acfbe263b2ed7b24b6e5c621) likely containing additional details or a proof-of-concept. No specific patches or mitigations are detailed in the provided information.
Details
- CWE(s)