SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-874648910] Digium Asterisk GUI

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2017-09-21OtherDigiumDavy Douhine of RandoriSec reported the vulnerability to ICS-CERT. N/ACVE-2017-1400 N/AN/AN/A

Source

						
							
								
#
# Digium Asterisk GUI
#


### VULNERABLE VENDOR
Digium


### VULNERABLE PRODUCT
Asterisk GUI



### RESEARCHER
Davy Douhine of RandoriSec reported the vulnerability to ICS-CERT.



### AFFECTED PRODUCTS

The following versions of Asterisk GUI, a framework for configuring graphical user interfaces, are affected:

Asterisk GUI 2.1.0 and prior



### IMPACT

Successful exploitation of this vulnerability could cause an authenticated attacker to execute arbitrary code on the device.



### VULNERABILITY OVERVIEW

IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION') CWE-78
An OS command injection vulnerability has been identified that may allow the execution of arbitrary code on the system through the inclusion of OS commands in the URL request of the program.
CVE-2017-14001 has been assigned to this vulnerability.
A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)





### BACKGROUND

Critical Infrastructure Sector(s): Commercial Facilities, Communications, and Critical Manufacturing.
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Alabama, United States




### MITIGATION

Asterisk GUI is no longer maintained and should not be used. Digium recommends affected users to migrate to Digium's SwitchVox product.