Skip to content
Threat Feed
critical advisory

Asterisk and Digium Certified Asterisk Vulnerabilities

An authenticated remote attacker can exploit vulnerabilities in Asterisk and Digium Certified Asterisk to achieve arbitrary code execution, denial of service, or information disclosure.

Multiple vulnerabilities exist within Asterisk and Digium Certified Asterisk, potentially allowing a remote, authenticated attacker to perform several malicious actions. These actions include arbitrary code execution, which could lead to complete system compromise, denial-of-service (DoS) attacks, rendering the system unusable, and sensitive information disclosure, potentially leading to further exploitation. The scope of these vulnerabilities encompasses any system running a vulnerable version of Asterisk or Digium Certified Asterisk. Defenders should prioritize identifying and patching affected systems to prevent potential exploitation.

Attack Chain

  1. The attacker authenticates to the Asterisk or Digium Certified Asterisk system using valid credentials.
  2. The attacker exploits a vulnerability allowing them to inject malicious code into a configuration file.
  3. The Asterisk process parses the modified configuration file, executing the injected code.
  4. The injected code establishes a reverse shell connection back to the attacker’s system.
  5. The attacker leverages the reverse shell to gain interactive access to the Asterisk server.
  6. The attacker escalates privileges using publicly available exploits or further vulnerabilities within the system.
  7. The attacker installs persistent backdoors or modifies system configurations for long-term access.
  8. The attacker exfiltrates sensitive data or causes a denial-of-service condition by crashing critical processes.

Impact

Successful exploitation of these vulnerabilities could have severe consequences. An attacker could gain complete control over the affected Asterisk or Digium Certified Asterisk systems. This could lead to disruption of communication services, exfiltration of sensitive call data, or the use of the compromised system as a launchpad for further attacks within the network. The impact includes potential financial losses, reputational damage, and legal liabilities due to data breaches.

Recommendation

  • Review Asterisk and Digium Certified Asterisk logs for suspicious configuration changes using the provided Sigma rule Asterisk Configuration Change Detection.
  • Implement strong authentication and access controls to limit the potential for unauthorized access as a prerequisite for exploitation.
  • Continuously monitor Asterisk processes for unexpected outbound network connections using the Sigma rule Asterisk Suspicious Outbound Connection.

Detection coverage 2

Asterisk Configuration Change Detection

medium

Detects suspicious changes to Asterisk configuration files.

sigma tactics: persistence techniques: T1546.003 sources: file_event, linux

Asterisk Suspicious Outbound Connection

high

Detects Asterisk processes making outbound network connections to unusual ports.

sigma tactics: command_and_control techniques: T1071.001 sources: network_connection, linux

Detection queries are kept inside the platform. Get full rules →