CVE-2014-8412
Description
The (1) VoIP channel drivers, (2) DUNDi, and (3) Asterisk Manager Interface (AMI) in Asterisk Open Source 1.8.x before 1.8.32.1, 11.x before 11.14.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 1.8.28 before 1.8.28-cert3 and 11.6 before 11.6-cert8 allows remote attackers to bypass the ACL restrictions via a packet with a source IP that does not share the address family as the first ACL entry.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A bug in Asterisk's ACL handling allows remote attackers to bypass access controls when the first ACL entry's address family differs from the packet's, affecting VoIP channels, DUNDi, and AMI.
Vulnerability
The vulnerability exists in Asterisk's access control list (ACL) implementation used by VoIP channel drivers, DUNDi, and the Asterisk Manager Interface (AMI). When processing incoming IP packets, Asterisk only compares the packet's address family to the IP address family of the first entry in the ACL list. If the packet's source IP is of a different address family (e.g., IPv6 versus IPv4) than the first ACL rule, all ACL rules are bypassed. This affects Asterisk Open Source versions 1.8.x before 1.8.32.1, 11.x before 11.14.1, 12.x before 12.7.1, and 13.x before 13.0.1, as well as Certified Asterisk 1.8.28 before 1.8.28-cert3 and 11.6 before 11.6-cert8 [1].
Exploitation
An attacker can send a crafted IP packet with a source address that does not match the address family of the first ACL rule. No authentication is required to trigger the ACL bypass, though the specific module (e.g., VoIP channel) may still enforce additional authentication. The attacker simply needs network access to the target Asterisk server [1].
Impact
Successful exploitation allows the attacker to bypass ACL restrictions entirely, potentially gaining unauthorized access to sensitive services. Since the packet may still require protocol-specific authentication, the impact varies; however, the ACL bypass itself could enable further attacks or information gathering. The core issue is a violation of the intended access control policy [1].
Mitigation
The fix is included in Asterisk Open Source versions 1.8.32.1, 11.14.1, 12.7.1, and 13.0.1, and Certified Asterisk versions 1.8.28-cert3 and 11.6-cert8. Users should upgrade to these versions or later. For those unable to upgrade, ensuring all ACL rules use the same address family can avoid the bug, but this is not a complete workaround. No other mitigations are documented in the advisory [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
14cpe:2.3:a:digium:certified_asterisk:11.6.0:*:*:*:lts:*:*:*+ 10 more
- cpe:2.3:a:digium:certified_asterisk:11.6.0:*:*:*:lts:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert1:*:*:lts:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert2:*:*:lts:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert3:*:*:lts:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert4:*:*:lts:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert5:*:*:lts:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert6:*:*:lts:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert7:*:*:lts:*:*:*
- cpe:2.3:a:digium:certified_asterisk:1.8.28.0:*:*:*:lts:*:*:*
- cpe:2.3:a:digium:certified_asterisk:1.8.28:cert1:*:*:lts:*:*:*
- cpe:2.3:a:digium:certified_asterisk:1.8.28:cert2:*:*:lts:*:*:*
- Range: <1.8.28-cert3 (1.8.28), <11.6-cert8 (11.6)
- Range: <1.8.32.1 (1.8.x), <11.14.1 (11.x), <12.7.1 (12.x), <13.0.1 (13.x)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- downloads.asterisk.org/pub/security/AST-2014-012.htmlnvdVendor Advisory
News mentions
0No linked articles in our index yet.