CVE-2024-42365: 
NixOS vulnerability analysis and mitigation

CVE-2024-42365 affects Asterisk, an open source private branch exchange (PBX) and telephony toolkit. The vulnerability was discovered and disclosed on August 8, 2024. The affected versions include Asterisk versions prior to 18.24.2, 20.9.2, and 21.4.2, and certified-asterisk versions prior to 18.9-cert11 and 20.7-cert2. The vulnerability allows an AMI user with write=originate permission to modify all configuration files in the /etc/asterisk/ directory (GitHub Advisory).

The vulnerability stems from insufficient permission checks in the AMI (Asterisk Management Interface) system. Users with only write=originate permission can use the FILE function inside the SET application to append to existing files and use CURL to write remote files to disk. The vulnerability bypasses existing security controls meant to prevent users with low privileges from executing sensitive operations. The issue has been assigned a CVSS v3.1 base score of 8.8 HIGH by NIST and 7.4 HIGH by GitHub, with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L (NVD).

The vulnerability can lead to privilege escalation, remote code execution, and/or blind server-side request forgery with arbitrary protocol. Attackers can modify configuration files, create new manager users with elevated permissions, and execute system commands through the compromised system (GitHub Advisory).

The vulnerability has been fixed in Asterisk versions 18.24.2, 20.9.2, and 21.4.2, and certified-asterisk versions 18.9-cert11 and 20.7-cert2. Users should upgrade to these patched versions to protect against exploitation (GitHub Advisory).