CVE-2024-57520
Published: 05 February 2025
Summary
CVE-2024-57520 is a critical-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Sangoma Asterisk. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-5 (Access Restrictions for Change).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Restricts access to configuration changes to authorized personnel only, directly mitigating exploitation of the action_createconfig function by limiting privileged user capabilities.
Enforces least privilege for users managing configurations, reducing the attack surface even for privileged accounts that could exploit insecure permissions.
Validates inputs to the action_createconfig function, addressing the directory traversal aspect by rejecting invalid paths outside the Asterisk directory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote exploitation of public-facing Asterisk service via insecure permissions in config action, disputed between RCE and limited directory traversal.
NVD Description
Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function. NOTE: this is disputed by the Supplier because the impact is limited to creating empty files outside of the Asterisk product directory…
more
(aka directory traversal) and the attack can only be performed by a privileged user who has the ability to manage the configuration.
Deeper analysisAI
CVE-2024-57520 is an insecure permissions vulnerability (CWE-732) affecting Asterisk version 22, specifically in the action_createconfig function. The issue has been reported to enable a remote attacker to execute arbitrary code. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with network accessibility, low complexity, and no required privileges or user interaction.
The attack scenario involves a remote attacker exploiting the vulnerability remotely. According to the reporter, this allows arbitrary code execution, while the supplier disputes this, stating the impact is limited to directory traversal that creates empty files outside the Asterisk product directory. The supplier further notes that exploitation requires a privileged user with the ability to manage the configuration.
Advisories reference a GitHub issue (https://github.com/asterisk/asterisk/issues/1122) where the supplier disputes the severity and a Gist (https://gist.github.com/hyp164D1/ae76ab25acfbe263b2ed7b24b6e5c621) likely containing additional details or a proof-of-concept. No specific patches or mitigations are detailed in the provided information.
Details
- CWE(s)