Sign-up

ID

VAR-201709-0712


CVE

CVE-2017-14001


TITLE

Digium Asterisk GUI OS Command injection vulnerability

Trust: 0.8

sources: IVD: a65c0f37-5815-4893-b0c3-0c14c3b1b227 // CNVD: CNVD-2017-27939

DESCRIPTION

An Improper Neutralization of Special Elements used in an OS Command issue was discovered in Digium Asterisk GUI 2.1.0 and prior. An OS command injection vulnerability has been identified that may allow the execution of arbitrary code on the system through the inclusion of OS commands in the URL request of the program. The Asterisk GUI is a framework for configuring graphical user interfaces. Digium Asterisk GUI is prone to an OS command-injection vulnerability because it fails to properly sanitize user-supplied input. Successfully exploiting this issue may allow an attacker to execute arbitrary code in the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. Asterisk GUI 2.1.0 and prior versions are vulnerable

Trust: 2.61

sources: NVD: CVE-2017-14001 // JVNDB: JVNDB-2017-008554 // CNVD: CNVD-2017-27939 // BID: 100950 // IVD: a65c0f37-5815-4893-b0c3-0c14c3b1b227

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: a65c0f37-5815-4893-b0c3-0c14c3b1b227 // CNVD: CNVD-2017-27939

AFFECTED PRODUCTS

vendor:digiummodel:asterisk guiscope:lteversion:2.1.0

Trust: 1.8

vendor:digiummodel:asterisk guiscope:lteversion:<=2.1.0

Trust: 0.6

vendor:digiummodel:asterisk guiscope:eqversion:2.1.0

Trust: 0.6

vendor:digiummodel:asterisk guiscope:eqversion:2.1

Trust: 0.3

vendor:asterisk guimodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: a65c0f37-5815-4893-b0c3-0c14c3b1b227 // CNVD: CNVD-2017-27939 // BID: 100950 // JVNDB: JVNDB-2017-008554 // CNNVD: CNNVD-201709-1088 // NVD: CVE-2017-14001

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-14001
value: HIGH

Trust: 1.0

NVD: CVE-2017-14001
value: HIGH

Trust: 0.8

CNVD: CNVD-2017-27939
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201709-1088
value: HIGH

Trust: 0.6

IVD: a65c0f37-5815-4893-b0c3-0c14c3b1b227
value: HIGH

Trust: 0.2

nvd@nist.gov: CVE-2017-14001
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-27939
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: a65c0f37-5815-4893-b0c3-0c14c3b1b227
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2017-14001
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: IVD: a65c0f37-5815-4893-b0c3-0c14c3b1b227 // CNVD: CNVD-2017-27939 // JVNDB: JVNDB-2017-008554 // CNNVD: CNNVD-201709-1088 // NVD: CVE-2017-14001

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.8

sources: JVNDB: JVNDB-2017-008554 // NVD: CVE-2017-14001

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201709-1088

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201709-1088

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-008554

PATCH
title:Top Pageurl:https://www.digium.com/
Trust: 0.8
title:Patch for Digium Asterisk GUI OS Command Injection Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/102623
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-27939 // 
            
            
            
            JVNDB: JVNDB-2017-008554

EXTERNAL IDS
db:NVDid:CVE-2017-14001
Trust: 3.5
db:ICS CERTid:ICSA-17-264-03
Trust: 3.3
db:BIDid:100950
Trust: 1.9
db:CNVDid:CNVD-2017-27939
Trust: 0.8
db:CNNVDid:CNNVD-201709-1088
Trust: 0.8
db:JVNDBid:JVNDB-2017-008554
Trust: 0.8
db:IVDid:A65C0F37-5815-4893-B0C3-0C14C3B1B227
Trust: 0.2
sources:
            
            
            IVD: a65c0f37-5815-4893-b0c3-0c14c3b1b227 // 
            
            
            
            CNVD: CNVD-2017-27939 // 
            
            
            
            BID: 100950 // 
            
            
            
            JVNDB: JVNDB-2017-008554 // 
            
            
            
            CNNVD: CNNVD-201709-1088 // 
            
            
            
            NVD: CVE-2017-14001

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-17-264-03
Trust: 3.3
url:http://www.securityfocus.com/bid/100950
Trust: 1.6
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-14001
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-14001
Trust: 0.8
url:https://www.digium.com/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2017-27939 // 
            
            
            
            BID: 100950 // 
            
            
            
            JVNDB: JVNDB-2017-008554 // 
            
            
            
            CNNVD: CNNVD-201709-1088 // 
            
            
            
            NVD: CVE-2017-14001

CREDITS
Davy Douhine of RandoriSec
Trust: 0.9
sources:
            
            
            BID: 100950 // 
            
            
            
            CNNVD: CNNVD-201709-1088

SOURCES
db:IVDid:a65c0f37-5815-4893-b0c3-0c14c3b1b227
db:CNVDid:CNVD-2017-27939
db:BIDid:100950
db:JVNDBid:JVNDB-2017-008554
db:CNNVDid:CNNVD-201709-1088
db:NVDid:CVE-2017-14001

LAST UPDATE DATE
2025-04-20T23:25:57.290000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-27939date:2017-09-22T00:00:00
db:BIDid:100950date:2017-09-21T00:00:00
db:JVNDBid:JVNDB-2017-008554date:2017-10-23T00:00:00
db:CNNVDid:CNNVD-201709-1088date:2019-10-17T00:00:00
db:NVDid:CVE-2017-14001date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:IVDid:a65c0f37-5815-4893-b0c3-0c14c3b1b227date:2017-09-22T00:00:00
db:CNVDid:CNVD-2017-27939date:2017-09-22T00:00:00
db:BIDid:100950date:2017-09-21T00:00:00
db:JVNDBid:JVNDB-2017-008554date:2017-10-23T00:00:00
db:CNNVDid:CNNVD-201709-1088date:2017-09-26T00:00:00
db:NVDid:CVE-2017-14001date:2017-09-26T02:29:00.187