Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN493 _____________________________________________________________________ DATE : 01/08/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Asterisk versions prior to 18.26.3, 20.15.1, 21.10.1, 22.5.1, 18.9-cert16, 20.7-cert7. ===================================================================== https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp https://github.com/asterisk/asterisk/security/advisories/GHSA-mrq5-74j5-f5cr _____________________________________________________________________ Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation. Moderate gtjoseph published GHSA-v9q8-9j8m-5xwp Jul 31, 2025 Package asterisk (Asterisk) Affected versions <= 18.26.2 <= 20.15.0 <= 21.10.0 <= 22.5.0 <= 18.9-cert15 <= 20.7-cert6 Patched versions 18.26.3 20.15.1 21.10.1 22.5.1 18.9-cert16 20.7-cert7 Description Summary I believe that in Asterisk there exists a path for an attacker to escalate their privileges to root due to the fact that the /usr/sbin/safe_asterisk script, which can be used to start Asterisk in non-systemd environments and which runs as root, will run *.sh files in the /etc/asterisk/startup.d directory. Certain non-root users with legitimate write access to /etc/asterisk could place scripts in the startup.d directory that would be run as root the next time Asterisk is started. NOTE: This issue exists only if the safe_asterisk script is used to start the Asterisk daemon. Installations that use the recommended systemd asterisk.service file to start Asterisk are not affected. Details In the /usr/sbin/safe_asterisk script in roughly lines between 160 - 170, you can see that there is a check to see if there exists the directory /etc/asterisk/startup.d/ and that if it does, then the script proceeds to execute and run EVERY file with .sh extension. The wrapper safe_asterisk itself is launched by the service manager (SysV init script or FreePBX’s amportal start) as root The shell block is wrapped only in if [ -d "${ASTETCDIR}/startup.d" ]; then … ; fi (no chmod, no ownership test). If a user has write access to /etc/asterisk to allow them to change Asterisk configuration (which may be perfectly valid) they could create the startup.d directory if it didn't already exist, and place scripts in it which would subsequently be run as root the next time the safe_asterisk script is run. PoC As a non-root user with write permissions on /etc/asterisk, create the /etc/asterisk/startup.d directory if it doesn't already exist. Create a file named 01-test.sh in the /etc/asterisk/startup.d directory with a single line touch /tmp/safe_asterisk_test. Restart asterisk using a method that invokes the safe_asterisk script. Run ls -al /tmp/safe_asterisk_test and note that the file owner is root. Impact This would lead to a local privilege escalation allowing a non-root user to run scripts as the root user. However, the attacking user would still have had to be granted write access to the /etc/asterisk directory by a system administrator before the vulnerability could be exploited. Severity Moderate 6.9/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Local Attack Complexity Low Attack Requirements Present Privileges Required High User interaction Passive Vulnerable System Impact Metrics Confidentiality High Integrity High Availability None Subsequent System Impact Metrics Confidentiality High Integrity High Availability None CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N CVE ID CVE-2025-1131 Weaknesses Weakness CWE-427 Credits @ThatTotallyRealMyth ThatTotallyRealMyth Finder _____________________________________________________________________ Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c Moderate gtjoseph published GHSA-mrq5-74j5-f5cr Jul 31, 2025 Package asterisk (Asterisk) Affected versions <= 18.26.2 <= 20.15.0 <= 21.10.0 <= 22.5.0 <= 20.7-cert6 Patched versions 18.26.3 20.15.1 21.10.1 22.5.1 20.7-cert7 Description Summary There is a remote DoS and possible RCE condition in asterisk/res/res_stir_shaken /verification.c that can be exploited when: An attacker can set an arbitrary Identity header STIR/SHAKEN is enabled, with Verification set in the SIP profile associated with the endpoint to be attacked Details The issue is here. asterisk/res/res_stir_shaken/verification.c Line 912 in c7a8271 p = strchr(ctx->identity_hdr, ';'); p = strchr(ctx->identity_hdr, ';'); len = p - ctx->identity_hdr + 1; jwt_encoded = ast_malloc(len); if (!jwt_encoded) { SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INTERNAL_ERROR, LOG_ERROR, "%s: Failed to allocate memory for encoded jwt\n", ctx->tag); } memcpy(jwt_encoded, ctx->identity_hdr, len); If the proper section of the Identity header does not contain any semicolons, then p will be null and len will be a negative number, or possibly positive if wrapped. This could cause a denial-of-service condition. Later in code this value is used for ast_malloc() and memcpy(). It may be remotely exploitable for an RCE or not. PoC In the latest version of Asterisk 22, configure STIR/SHAKEN and add a match for an identity of "127.0.0.2", and configure STIR/SHAKEN (non-trivial, sadly). Then modify, compile, and run the partially obfuscated PoC golang application attached. asterisk-jwt.go.txt This may result in a segfault, or an error message similar to the following: [1284639.490024] asterisk[514786]: segfault at 20 ip 00007e9c3f3dad95 sp 00007e9c7c2271b0 error 4 in res_stir_shaken.so[7e9c3f3d0000+1a000] likely on CPU 0 (core 0, socket 0) [1284639.490041] Code: 00 00 00 00 90 f3 0f 1e fa 41 55 49 89 d5 41 54 49 89 f4 55 48 89 fd 53 48 83 ec 08 e8 54 64 ff ff 48 85 c0 0f 84 c3 00 00 00 <48> 8b 4d 20 48 8b 75 00 4c 89 e2 48 89 c7 48 89 c3 e8 35 60 ff ff [2025-06-07 13:02:58] ERROR[269756]: res_stir_shaken/verification.c:916 ast_stir_shaken_vs_verify: PJSIP/anveodirect-00000000: Failed to allocate memory for encoded jwt. Len: -1144712157 Note that I added Len in code for the error above to help in debugging. Impact An end-user running Asterisk with STIR/SHAKEN enabled with verification for an endpoint that can be reached by an attacker is susceptible to this condition. Severity Moderate 6.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction None Scope Unchanged Confidentiality None Integrity None Availability High CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID CVE-2025-49832 Weaknesses Weakness CWE-476 Credits @wtfismyip wtfismyip Reporter ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================