Alfred Farrugia

**Name of the Vulnerable Software and Affected Versions** OpenSIPS versions prior to 3.1.9 and 3.2.6 **Description** OpenSIPS is a Session Initiation Protocol (SIP) server implementation. A malformed SIP message containing a large `Content-Length` value and a specially crafted Request-URI causes a segmentation fault in OpenSIPS. This issue occurs when a large amount of shared memory using the `-m` flag was allocated to OpenSIPS. The only workaround is to guarantee that the `Content-Length` value of input messages is never larger than `2147483647`. **Recommendations** For versions prior to 3.1.9, update to version 3.1.9 or later. For versions prior to 3.2.6, update to version 3.2.6 or later. As a temporary workaround, consider guaranteeing that the `Content-Length` value of input messages is never larger than `2147483647` until a patch is available.

**Name of the Vulnerable Software and Affected Versions** OpenSIPS versions prior to 3.1.7 and 3.2.4 **Description** OpenSIPS is a Session Initiation Protocol (SIP) server implementation. The issue arises when a malformed SDP body is received and processed by the `delete sdp line` function in the sipmsgops module. This can be reproduced by calling the function with an SDP body that does not terminate with a line feed (i.e., ` `). The vulnerability was discovered through black-box fuzzing and coverage-guided fuzzing on the `codec delete except re` function. The crash occurs because the `delete sdp line` function expects an SDP line to be terminated by a line feed (` `). An attacker can exploit this to crash the server, affecting configurations that rely on the affected code, such as the `codec delete except re` function. Exploitation results in a Denial of Service due to an `abort` in the lumps processing function. **Recommendations** To resolve the issue, update to version 3.1.7 or 3.2.4, as these versions include the patch for this vulnerability. As a temporary workaround, consider restricting access to the `delete sdp line` function in the sipmsgops module until the update can be applied. Additionally, configurations containing functions that rely on the affected code, such as `codec delete except re`, should be reviewed to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenSIPS versions prior to 3.1.7 and 3.2.4 **Description** OpenSIPS is a Session Initiation Protocol (SIP) server implementation. The issue arises when a malformed SDP body is received and processed by the `delete sdp line` function in the sipmsgops module. This can be reproduced by calling the function with an SDP body that does not terminate with a line feed (i.e., ` `). The vulnerability was discovered through black-box fuzzing and coverage-guided fuzzing on the `codec delete except re` function. The crash occurs because the `delete sdp line` function expects an SDP line to be terminated by a line feed (` `). An attacker can exploit this to crash the server, affecting configurations that rely on the affected code, such as the `codec delete except re` function. Exploitation results in a Denial of Service due to an `abort` in the lumps processing function. **Recommendations** To resolve the issue, update to version 3.1.7 or 3.2.4, as these versions have fixed the issue. As a temporary workaround, consider restricting the use of the `delete sdp line` function in the sipmsgops module until a patch is available. Avoid using configurations that rely on the affected code, such as the `codec delete except re` function, until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenSIPS versions prior to 3.1.7 OpenSIPS versions prior to 3.2.4 **Description** OpenSIPS is a Session Initiation Protocol (SIP) server implementation. The issue is located in `msg translator.c:2628` and might lead to a server crash. This issue was found while fuzzing the function `build res buf from sip req` but could not be reproduced against a running instance of OpenSIPS. It is highly unlikely that this issue would lead to anything other than Denial of Service, even in the case of exploitation through unknown vectors. **Recommendations** For versions prior to 3.1.7, update to version 3.1.7 or later. For versions prior to 3.2.4, update to version 3.2.4 or later.

**Name of the Vulnerable Software and Affected Versions** OpenSIPS versions prior to 3.1.7 and 3.2.4 **Description** OpenSIPS is a Session Initiation Protocol (SIP) server implementation. Sending a malformed `Via` header to OpenSIPS triggers a segmentation fault when the function `calc tag suffix` is called. A specially crafted `Via` header, which is deemed correct by the parser, will pass uninitialized strings to the function `MD5StringArray` which leads to the crash. Abuse of this issue leads to Denial of Service due to a crash. Since the uninitialized string points to memory location `0x0`, no further exploitation appears to be possible. No special network privileges are required to perform this attack, as long as the OpenSIPS configuration makes use of functions such as `sl send reply` or `sl gen totag` that trigger the vulnerable code. **Recommendations** For OpenSIPS versions prior to 3.1.7, update to version 3.1.7 or later. For OpenSIPS versions prior to 3.2.4, update to version 3.2.4 or later. As a temporary workaround, consider restricting the use of functions such as `sl send reply` or `sl gen totag` that trigger the vulnerable code until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** OpenSIPS versions prior to 3.1.7 and 3.2.4 **Description** OpenSIPS is a Session Initiation Protocol (SIP) server implementation. When the function `append hf` handles a SIP message with a malformed To header, a call to the function `abort()` is performed, resulting in a crash. This is due to the check in `data lump.c:399` in the function `anchor lump`. An attacker abusing this issue will crash OpenSIPS leading to Denial of Service. It affects configurations containing functions that make use of the affected code, such as the function `append hf`. **Recommendations** For versions prior to 3.1.7, update to version 3.1.7 or later. For versions prior to 3.2.4, update to version 3.2.4 or later. As a temporary workaround, consider disabling the `append hf` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Kamailio versions prior to 4.4.7 Kamailio versions 5.0.x prior to 5.0.6 Kamailio versions 5.1.x prior to 5.1.2 **Description** A Buffer Overflow issue was discovered. A specially crafted REGISTER message with a malformed branch or From tag triggers an off-by-one heap-based buffer overflow in the `tmx check pretran` function. **Recommendations** For versions prior to 4.4.7, update to version 4.4.7 or later. For versions 5.0.x prior to 5.0.6, update to version 5.0.6 or later. For versions 5.1.x prior to 5.1.2, update to version 5.1.2 or later.

**Name of the Vulnerable Software and Affected Versions** Asterisk versions 13.19.1 and earlier, 14.x through 14.7.5, and 15.x through 15.2.1 Certified Asterisk versions 13.18-cert2 and earlier **Description** An issue allows remote authenticated users to crash Asterisk by sending a number of SIP INVITE messages on a TCP or TLS connection and then suddenly closing the connection, resulting in a segmentation fault. **Recommendations** For Asterisk versions 13.19.1 and earlier, consider restricting access to the `res pjsip` module to minimize the risk of exploitation until a patch is available. For Asterisk versions 14.x through 14.7.5, restrict the use of SIP INVITE messages on TCP or TLS connections to prevent crashes. For Asterisk versions 15.x through 15.2.1, avoid sudden closure of TCP or TLS connections after sending SIP INVITE messages. For Certified Asterisk versions 13.18-cert2 and earlier, temporarily disable the `res pjsip` module to prevent crashes until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Asterisk versions 13.19.1 and earlier, 14.x through 14.7.5, and 15.x through 15.2.1 Certified Asterisk versions 13.18-cert2 and earlier **Description** A Buffer Overflow issue was discovered in the processing of a SUBSCRIBE request by the res pjsip pubsub module. The module stores accepted formats from the Accept headers of the request but does not limit the number of headers it processes, despite a fixed limit of 32. If more than 32 Accept headers are present, the code writes outside of its memory, causing a crash. **Recommendations** For Asterisk versions 13.19.1 and earlier, update to a version later than 13.19.1 to resolve the issue. For Asterisk versions 14.x through 14.7.5, update to a version later than 14.7.5. For Asterisk versions 15.x through 15.2.1, update to a version later than 15.2.1. For Certified Asterisk versions 13.18-cert2 and earlier, update to a version later than 13.18-cert2. As a temporary workaround, consider restricting access to the res pjsip pubsub module to minimize the risk of exploitation.