CVE-2025-1131
BaseFortify
Publication date: 2025-09-23
Last updated on: 2025-11-03
Assigner: Gridware
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sangoma | asterisk | to 18.26.3 (exc) |
| sangoma | asterisk | From 20.0.0 (inc) to 20.15.1 (exc) |
| sangoma | asterisk | From 21.0.0 (inc) to 21.10.1 (exc) |
| sangoma | asterisk | From 22.0.0 (inc) to 22.5.1 (exc) |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 20.7 |
| sangoma | certified_asterisk | 20.7 |
| sangoma | certified_asterisk | 20.7 |
| sangoma | certified_asterisk | 20.7 |
| sangoma | certified_asterisk | 20.7 |
| sangoma | certified_asterisk | 20.7 |
| sangoma | certified_asterisk | 20.7 |
| sangoma | certified_asterisk | 20.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-427 | The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a local privilege escalation issue in the safe_asterisk script used to start the Asterisk telephony software in non-systemd environments. The script runs as root and executes all shell scripts (*.sh) in the /etc/asterisk/startup.d directory without checking their ownership or permissions. If a non-root user has write access to /etc/asterisk, they can place malicious scripts in this directory. When Asterisk is restarted via safe_asterisk, these scripts run with root privileges, allowing the user to escalate their privileges to root. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability allows a non-root user with write access to /etc/asterisk to execute arbitrary code with root privileges. This means an attacker can gain full control over the affected system, potentially leading to unauthorized access, data manipulation, or disruption of services. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if the /etc/asterisk/startup.d directory exists and contains any .sh scripts that could be executed by safe_asterisk. Also, verify if non-root users have write access to /etc/asterisk, which would allow them to place malicious scripts. For example, run the following commands: 1. Check if the startup.d directory exists and list scripts: ls -l /etc/asterisk/startup.d/*.sh 2. Check permissions on /etc/asterisk: ls -ld /etc/asterisk 3. Check which users have write access to /etc/asterisk: getfacl /etc/asterisk 4. To test if the vulnerability is present, create a test script (e.g., 01-test.sh) in /etc/asterisk/startup.d that performs a privileged action (like creating a root-owned file), then restart Asterisk using safe_asterisk and check if the action was executed with root privileges. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Restrict write permissions to the /etc/asterisk directory so that only trusted users (preferably root) can write to it, preventing unprivileged users from placing scripts in startup.d. 2. Remove or rename the /etc/asterisk/startup.d directory if it is not needed. 3. Upgrade Asterisk to a fixed version where this vulnerability is patched (e.g., 18.26.3, 20.15.1, 21.10.1, 22.5.1, 18.9-cert16, or 20.7-cert7). 4. Use the recommended systemd asterisk.service file to start Asterisk instead of safe_asterisk, as this method is not vulnerable. 5. Audit existing scripts in /etc/asterisk/startup.d for any unauthorized or suspicious files. [1]