Sandro Gauci

**Nome do Software Vulnerável e Versões Afetadas** Versões do rtpengine até a mr13.3.1.4 **Descrição** O rtpengine é suscetível a injeção de RTP e redirecionamento de mídia, potencialmente levando a uma condição de negação de serviço (DoS). O vazamento de RTP (RTP bleed) permite que um atacante redirecione a mídia da vítima, como áudio, para um host controlado pelo atacante. A injeção de RTP (RTP inject) permite que atacantes insiram pacotes RTP arbitrários em chamadas ativas. **Recomendações** Versões anteriores à mr13.3.2 devem ser atualizadas.

**Name of the Vulnerable Software and Affected Versions** OpenSIPS versions prior to 3.1.9 and 3.2.6 **Description** OpenSIPS is a Session Initiation Protocol (SIP) server implementation. A malformed SIP message containing a large `Content-Length` value and a specially crafted Request-URI causes a segmentation fault in OpenSIPS. This issue occurs when a large amount of shared memory using the `-m` flag was allocated to OpenSIPS. The only workaround is to guarantee that the `Content-Length` value of input messages is never larger than `2147483647`. **Recommendations** For versions prior to 3.1.9, update to version 3.1.9 or later. For versions prior to 3.2.6, update to version 3.2.6 or later. As a temporary workaround, consider guaranteeing that the `Content-Length` value of input messages is never larger than `2147483647` until a patch is available.

**Name of the Vulnerable Software and Affected Versions** OpenSIPS versions prior to 3.1.7 OpenSIPS versions prior to 3.2.4 **Description** OpenSIPS is a Session Initiation Protocol (SIP) server implementation. The issue is located in `msg translator.c:2628` and might lead to a server crash. This issue was found while fuzzing the function `build res buf from sip req` but could not be reproduced against a running instance of OpenSIPS. It is highly unlikely that this issue would lead to anything other than Denial of Service, even in the case of exploitation through unknown vectors. **Recommendations** For versions prior to 3.1.7, update to version 3.1.7 or later. For versions prior to 3.2.4, update to version 3.2.4 or later.

**Name of the Vulnerable Software and Affected Versions** OpenSIPS versions prior to 3.1.7 and 3.2.4 **Description** OpenSIPS is a Session Initiation Protocol (SIP) server implementation. The issue arises when a malformed SDP body is received and processed by the `delete sdp line` function in the sipmsgops module. This can be reproduced by calling the function with an SDP body that does not terminate with a line feed (i.e., ` `). The vulnerability was discovered through black-box fuzzing and coverage-guided fuzzing on the `codec delete except re` function. The crash occurs because the `delete sdp line` function expects an SDP line to be terminated by a line feed (` `). An attacker can exploit this to crash the server, affecting configurations that rely on the affected code, such as the `codec delete except re` function. Exploitation results in a Denial of Service due to an `abort` in the lumps processing function. **Recommendations** To resolve the issue, update to version 3.1.7 or 3.2.4, as these versions have fixed the issue. As a temporary workaround, consider restricting the use of the `delete sdp line` function in the sipmsgops module until a patch is available. Avoid using configurations that rely on the affected code, such as the `codec delete except re` function, until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenSIPS versions prior to 3.1.7 and 3.2.4 **Description** OpenSIPS is a Session Initiation Protocol (SIP) server implementation. The issue arises when a malformed SDP body is received and processed by the `delete sdp line` function in the sipmsgops module. This can be reproduced by calling the function with an SDP body that does not terminate with a line feed (i.e., ` `). The vulnerability was discovered through black-box fuzzing and coverage-guided fuzzing on the `codec delete except re` function. The crash occurs because the `delete sdp line` function expects an SDP line to be terminated by a line feed (` `). An attacker can exploit this to crash the server, affecting configurations that rely on the affected code, such as the `codec delete except re` function. Exploitation results in a Denial of Service due to an `abort` in the lumps processing function. **Recommendations** To resolve the issue, update to version 3.1.7 or 3.2.4, as these versions include the patch for this vulnerability. As a temporary workaround, consider restricting access to the `delete sdp line` function in the sipmsgops module until the update can be applied. Additionally, configurations containing functions that rely on the affected code, such as `codec delete except re`, should be reviewed to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenSIPS versions prior to 3.1.7 and 3.2.4 **Description** OpenSIPS is a Session Initiation Protocol (SIP) server implementation. When the function `append hf` handles a SIP message with a malformed To header, a call to the function `abort()` is performed, resulting in a crash. This is due to the check in `data lump.c:399` in the function `anchor lump`. An attacker abusing this issue will crash OpenSIPS leading to Denial of Service. It affects configurations containing functions that make use of the affected code, such as the function `append hf`. **Recommendations** For versions prior to 3.1.7, update to version 3.1.7 or later. For versions prior to 3.2.4, update to version 3.2.4 or later. As a temporary workaround, consider disabling the `append hf` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** OpenSIPS versions prior to 3.1.7 and 3.2.4 **Description** OpenSIPS is a Session Initiation Protocol (SIP) server implementation. Sending a malformed `Via` header to OpenSIPS triggers a segmentation fault when the function `calc tag suffix` is called. A specially crafted `Via` header, which is deemed correct by the parser, will pass uninitialized strings to the function `MD5StringArray` which leads to the crash. Abuse of this issue leads to Denial of Service due to a crash. Since the uninitialized string points to memory location `0x0`, no further exploitation appears to be possible. No special network privileges are required to perform this attack, as long as the OpenSIPS configuration makes use of functions such as `sl send reply` or `sl gen totag` that trigger the vulnerable code. **Recommendations** For OpenSIPS versions prior to 3.1.7, update to version 3.1.7 or later. For OpenSIPS versions prior to 3.2.4, update to version 3.2.4 or later. As a temporary workaround, consider restricting the use of functions such as `sl send reply` or `sl gen totag` that trigger the vulnerable code until a patch is applied.

**Nome do software vulnerável e versões afetadas** Versões do FreeSWITCH anteriores à 1.10.7 **Descrição** A vulnerabilidade permite que um invasor realize um ataque de vazamento de hash SIP contra o FreeSWITCH, podendo recuperar senhas de gateways ao explorar o mecanismo de desafio-resposta de um gateway configurado no servidor FreeSWITCH. Isso é feito desafiando as solicitações SIP do FreeSWITCH com o domínio definido como o do gateway, forçando o FreeSWITCH a responder com a resposta de desafio baseada na senha do gateway visado. O invasor não precisa de privilégios especiais de rede para explorar essa vulnerabilidade, mas sim da capacidade de fazer com que o servidor da vítima envie mensagens de solicitação SIP para a parte maliciosa e especifique o domínio correto, que pode ser considerado secreto, mas pode ser facilmente recuperado, já que muitos gateways são públicos. A vulnerabilidade parece ser causada pelo código que lida com desafios em `sofia reg.c`, `sofia reg handle sip r challenge()`, que não verifica se o desafio se origina do gateway real, permitindo que UACs e gateways arbitrários desafiem qualquer solicitação enviada pelo FreeSWITCH com o domínio do gateway alvo. **Recomendações** Para resolver o problema, atualize para a versão 1.10.7 ou posterior. Como solução alternativa temporária, considere criar uma associação entre uma sessão SIP para cada gateway e seu domínio, a fim de implementar uma verificação dessa associação ao responder a desafios. Restrinja o acesso ao módulo `sofia reg.c` e à função `sofia reg handle si

**Nome do software vulnerável e versões afetadas** Versões do FreeSWITCH anteriores à v1.10.6 **Descrição** O problema diz respeito à falta de autenticação para solicitações SIP do tipo SUBSCRIBE no FreeSWITCH. Isso permite que invasores se inscrevam para receber notificações de eventos de agentes de usuário sem autenticação, o que levanta preocupações com a privacidade e pode levar a ataques de engenharia social. Por exemplo, invasores podem ser capazes de monitorar o status de ramais SIP alvo. As mensagens SIP SUBSCRIBE devem ser autenticadas por padrão, e os administradores do FreeSWITCH não deveriam precisar definir explicitamente o parâmetro `auth-subscriptions`. **Recomendações** Para versões anteriores à v1.10.6, atualize para a versão v1.10.6 ou posterior e certifique-se de que a configuração seja atualizada de acordo, pois as atualizações de software não atualizam a configuração por padrão. Como solução temporária, considere definir o parâmetro `auth-subscriptions` para habilitar a autenticação para mensagens SIP SUBSCRIBE.

**Nome do software vulnerável e versões afetadas** Versões de código aberto do Asterisk 13.x a 13.37.0 Versões de código aberto do Asterisk 16.x a 16.14.0 Versões de código aberto do Asterisk 17.x a 17.8.0 Versões do Asterisk Open Source 18.x a 18.0.0 Versões certificadas do Asterisk anteriores à 16.8-cert5 **Descrição** Foi detectada uma falha no módulo res pjsip session. Ao receber um novo SIP Invite, o Asterisk não retornou o diálogo criado bloqueado ou referenciado, causando uma lacuna entre a criação do objeto de diálogo e seu próximo uso. Essa lacuna permitia que outra thread liberasse o diálogo, levando a uma falha quando o objeto de diálogo ou seus objetos dependentes eram acessados. A falha só pode ocorrer ao usar um protocolo orientado a conexão (por exemplo, TCP ou TLS) para transporte SIP e quando o cliente remoto está autenticado ou o Asterisk está configurado para chamadas anônimas. **Recomendações** Para as versões 13.x a 13.37.0 do Asterisk Open Source, atualize para a versão 13.37.1 ou posterior. Para as versões 16.x a 16.14.0 do Asterisk Open Source, atualize para a versão 16.14.1 ou posterior. Para as versões 17.x a 17.8.0 do Asterisk Open Source, atualize para a versão 17.8.1 ou posterior. Para as versões do Asterisk Open Source 18.x a 18.0.0, atualize para a versão 18.0.1 ou posterior. Para as versões certificadas do Asterisk anteriores à 16.8-cert5, atualize para a versão 16.8-cert5 ou posterior.

**Nome do software vulnerável e versões afetadas** Software de telefonia Gizmo5 (versões afetadas não especificadas) **Descrição** A implementação SIP fornece credenciais com hash em resposta a um desafio de autenticação inválido, facilitando que invasores remotos obtenham acesso por meio de um ataque de força bruta, relacionado a uma falha de “vazamento de SIP Digest”. **Recomendações** No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Nome do software vulnerável e versões afetadas** Adaptador telefônico Linksys SPA2102 (versões afetadas não especificadas) **Descrição** A implementação SIP fornece credenciais com hash em resposta a um desafio de autenticação inválido, facilitando que invasores remotos obtenham acesso por meio de um ataque de força bruta, relacionado a uma falha de “vazamento de hash SIP”. **Recomendações** No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Nome do software vulnerável e versões afetadas** Versões do PhonerLite anteriores à 2.15 **Descrição** A vulnerabilidade permite que invasores remotos obtenham acesso por meio de um ataque de força bruta devido ao envio de credenciais com hash em resposta a um desafio de autenticação inválido, relacionado a uma falha de “vazamento de SIP Digest”. **Recomendações** Para versões anteriores à 2.15, atualize para a versão 2.15 ou posterior para resolver o problema. Como solução alternativa temporária, considere restringir o acesso ao mecanismo de autenticação SIP para minimizar o risco de exploração.

**Name of the Vulnerable Software and Affected Versions** Kamailio versions prior to 4.4.7 Kamailio versions 5.0.x prior to 5.0.6 Kamailio versions 5.1.x prior to 5.1.2 **Description** A Buffer Overflow issue was discovered. A specially crafted REGISTER message with a malformed branch or From tag triggers an off-by-one heap-based buffer overflow in the `tmx check pretran` function. **Recommendations** For versions prior to 4.4.7, update to version 4.4.7 or later. For versions 5.0.x prior to 5.0.6, update to version 5.0.6 or later. For versions 5.1.x prior to 5.1.2, update to version 5.1.2 or later.

**Name of the Vulnerable Software and Affected Versions** Asterisk versions 13.19.1 and earlier, 14.x through 14.7.5, and 15.x through 15.2.1 Certified Asterisk versions 13.18-cert2 and earlier **Description** A Buffer Overflow issue was discovered in the processing of a SUBSCRIBE request by the res pjsip pubsub module. The module stores accepted formats from the Accept headers of the request but does not limit the number of headers it processes, despite a fixed limit of 32. If more than 32 Accept headers are present, the code writes outside of its memory, causing a crash. **Recommendations** For Asterisk versions 13.19.1 and earlier, update to a version later than 13.19.1 to resolve the issue. For Asterisk versions 14.x through 14.7.5, update to a version later than 14.7.5. For Asterisk versions 15.x through 15.2.1, update to a version later than 15.2.1. For Certified Asterisk versions 13.18-cert2 and earlier, update to a version later than 13.18-cert2. As a temporary workaround, consider restricting access to the res pjsip pubsub module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Asterisk versions 13.19.1 and earlier, 14.x through 14.7.5, and 15.x through 15.2.1 Certified Asterisk versions 13.18-cert2 and earlier **Description** An issue allows remote authenticated users to crash Asterisk by sending a number of SIP INVITE messages on a TCP or TLS connection and then suddenly closing the connection, resulting in a segmentation fault. **Recommendations** For Asterisk versions 13.19.1 and earlier, consider restricting access to the `res pjsip` module to minimize the risk of exploitation until a patch is available. For Asterisk versions 14.x through 14.7.5, restrict the use of SIP INVITE messages on TCP or TLS connections to prevent crashes. For Asterisk versions 15.x through 15.2.1, avoid sudden closure of TCP or TLS connections after sending SIP INVITE messages. For Certified Asterisk versions 13.18-cert2 and earlier, temporarily disable the `res pjsip` module to prevent crashes until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Asterisk versions 11.x through 11.25.1 Asterisk versions 13.x through 13.17.0 Asterisk versions 14.x through 14.6.0 Certified Asterisk versions 11.x through 11.6-cert16 Certified Asterisk versions 13.x through 13.13-cert4 **Description** The issue allows unauthorized data disclosure, specifically media takeover in the RTP stack, with careful timing by an attacker. The "strictrtp" option in rtp.conf, enabled by default in Asterisk 11 and above, learns the source address of media for a session and drops any packets that do not originate from the expected address. However, when combined with symmetric RTP support, enabled through the "nat" and "rtp symmetric" options, a change in the strict RTP support introduced an avenue for media hijacking. This occurs when a flood of RTP traffic is received, allowing a new source address to be learned and used for outgoing traffic, thus hijacking the media. **Recommendations** For Asterisk versions 11.x through 11.25.1, update to version 11.25.2 or later. For Asterisk versions 13.x through 13.17.0, update to version 13.17.1 or later. For Asterisk versions 14.x through 14.6.0, update to version 14.6.1 or later. For Certified Asterisk versions 11.x through 11.6-cert16, update to version 11.6-cert17 or later. For Certified Asterisk versions 13.x through 13.13-cert4, update to version 13.13-cert5 or later.

**Name of the Vulnerable Software and Affected Versions** RTPproxy versions prior to 2.2.alpha.20160823 **Description** The issue allows remote attackers to obtain sensitive information or cause a denial of service via crafted RTP packets, due to a NAT feature not properly determining the IP address and port number of the legitimate recipient of RTP traffic. **Recommendations** For versions prior to 2.2.alpha.20160823, update to a version that fixes this issue to prevent remote attackers from obtaining sensitive information or causing a denial of service.

**Name of the Vulnerable Software and Affected Versions** Asterisk Open Source versions 13.x through 13.15.0 Asterisk Open Source versions 14.x through 14.4.0 Certified Asterisk versions 13.13 through 13.13-cert3 **Description** The issue allows remote attackers to cause a denial of service, resulting in an out-of-bounds read and application crash, via a crafted packet. This is due to a problem in the multi-part body parser in PJSIP. **Recommendations** For Asterisk Open Source versions 13.x through 13.15.0, update to version 13.15.1 or later. For Asterisk Open Source versions 14.x through 14.4.0, update to version 14.4.1 or later. For Certified Asterisk versions 13.13 through 13.13-cert3, update to version 13.13-cert4 or later.

**Name of the Vulnerable Software and Affected Versions** Asterisk Open Source versions 13.x through 13.15.0 Asterisk Open Source versions 14.x through 14.4.0 Certified Asterisk versions 13.13 through 13.13-cert3 **Description** A memory exhaustion issue exists, which can be triggered by sending specially crafted SCCP packets, causing an infinite loop and leading to memory exhaustion due to message logging in that loop. **Recommendations** For Asterisk Open Source versions 13.x through 13.15.0, update to version 13.15.1 or later. For Asterisk Open Source versions 14.x through 14.4.0, update to version 14.4.1 or later. For Certified Asterisk versions 13.13 through 13.13-cert3, update to version 13.13-cert4 or later.