CVE-2024-57520
📋 TL;DR
CVE-2024-57520 is an insecure permissions vulnerability in Asterisk v22 that allows directory traversal via the action_createconfig function. This could enable arbitrary file creation outside the Asterisk directory. The vulnerability primarily affects Asterisk administrators with configuration management privileges, though the vendor disputes the severity, noting impact is limited to creating empty files.
💻 Affected Systems
- Asterisk
📦 What is this software?
Asterisk by Sangoma
⚠️ Risk & Real-World Impact
Worst Case
Remote attacker with privileged access could execute arbitrary code by writing malicious files to sensitive locations, potentially leading to full system compromise.
Likely Case
Privileged user creates empty files in unintended directories, causing potential denial of service or configuration corruption.
If Mitigated
With proper access controls and least privilege principles, impact is limited to creating empty files in non-critical locations.
🎯 Exploit Status
Exploitation requires privileged user credentials. Public proof-of-concept demonstrates directory traversal.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified
Vendor Advisory: https://github.com/asterisk/asterisk/issues/1122
Restart Required: No
Instructions:
Monitor Asterisk GitHub repository for official patches. Consider workarounds if immediate patching unavailable.
🔧 Temporary Workarounds
Restrict Configuration Access
linuxLimit access to Asterisk configuration management functions to only essential administrators.
# Review and restrict AMI/ARI user permissions in asterisk configuration
# Set appropriate file permissions on Asterisk configuration directories
Implement Directory Restrictions
linuxUse filesystem permissions and SELinux/AppArmor to restrict Asterisk's write access outside its directory.
# chmod 755 /etc/asterisk
# setsebool -P asterisk_disable_trans 1 (SELinux)
# Configure AppArmor profile for Asterisk
🧯 If You Can't Patch
- Implement strict access controls for Asterisk administrative interfaces
- Monitor for unusual file creation activities in system directories
🔍 How to Verify
Check if Vulnerable:
Check Asterisk version and review configuration for unrestricted access to action_createconfig function.Check Version:
asterisk -VVerify Fix Applied:
Verify no unauthorized file creation occurs when privileged users access configuration functions.📡 Detection & Monitoring
Log Indicators:
- Unusual file creation events in Asterisk logs
- Configuration changes from unexpected sources
Network Indicators:
- Suspicious AMI/ARI connections attempting configuration modifications
SIEM Query:
source="asterisk.log" AND ("action_createconfig" OR "file creation" OR "directory traversal")