Andywolk

**Name of the Vulnerable Software and Affected Versions** FreeSWITCH versions prior to 1.10.10 **Description** FreeSWITCH is a Software Defined Telecom Stack that enables digital transformation from proprietary telecom switches to a software implementation. The issue allows remote users to trigger an out of bounds write by offering an ICE candidate with an unknown component ID. When an SDP is offered with any ICE candidates with an unknown component ID, FreeSWITCH will make an out of bounds write to its arrays. This can lead to corruption of FreeSWITCH memory, resulting in undefined behavior of the system or a crash. **Recommendations** For versions prior to 1.10.10, update to version 1.10.10 to resolve the issue. As a temporary workaround, consider restricting the handling of ICE candidates with unknown component IDs to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FreeSWITCH versions prior to 1.10.10 **Description** The issue allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names. When a call completes codec negotiation, the `codec string` channel variable is set with the result of the negotiation. On a subsequent re-negotiation, if an SDP is offered that contains codecs with the same names but with different formats, there may be too many codec matches detected by FreeSWITCH leading to overflows of its internal arrays. By abusing this vulnerability, an attacker is able to corrupt the stack of FreeSWITCH leading to an undefined behavior of the system or simply crash it. **Recommendations** For versions prior to 1.10.10, update to version 1.10.10 to resolve the issue. As a temporary workaround, consider restricting the use of re-INVITE with SDP containing duplicate codec names to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Sofia-SIP versions prior to 1.13.15 **Description** Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification. Several potential heap-over-flow and integer-overflow vulnerabilities were found in `stun parse attr error code` and `stun parse attr uint32` due to the lack of attributes length check when Sofia-SIP handles STUN packets. The previous patch fixed the vulnerability when `attr type` did not match the enum value, but there are also vulnerabilities in the handling of other valid cases. The OOB read and integer-overflow made by an attacker may lead to crash, high consumption of memory or even other more serious consequences. **Recommendations** To resolve the issue, upgrade to version 1.13.15 or later. As a temporary workaround, consider restricting the handling of STUN packets to minimize the risk of exploitation. Avoid using the `stun parse attr error code` and `stun parse attr uint32` functions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FreeSWITCH versions prior to 1.10.7 **Description** The issue concerns the lack of authentication for SIP MESSAGE requests in FreeSWITCH, leading to potential spam and message spoofing. By default, SIP requests of the type MESSAGE are not authenticated, allowing attackers to send messages to any SIP user agent registered with the server without requiring authentication. This can enable social engineering, phishing, and similar attacks. The maintainers recommend that this SIP message type be authenticated by default. **Recommendations** For versions prior to 1.10.7, update to version 1.10.7 to resolve the issue. As a temporary workaround, consider setting the `auth-messages` parameter to `true` to enable authentication for SIP MESSAGE requests. Restrict access to the SIP MESSAGE endpoint to minimize the risk of exploitation. Avoid relying on the default setting and explicitly configure authentication for SIP MESSAGE requests.

**Name of the Vulnerable Software and Affected Versions** FreeSWITCH versions prior to 1.10.7 **Description** The issue allows remote attackers to terminate calls by flooding a media port handling SRTP traffic with specially crafted SRTP packets, leading to denial of service. This can be done continuously, denying encrypted calls during the attack. The call disconnection occurs due to a hard-coded threshold of 100 SRTP errors in the source file `switch rtp.c`. The attack does not require authentication or any special foothold in the caller's or the callee's network. This issue was reproduced in both SIP and WebRTC environments using the SDES and DTLS key exchange mechanisms, respectively. **Recommendations** For versions prior to 1.10.7, update to version 1.10.7 to resolve the issue. As a temporary workaround, consider restricting access to the `switch rtp.c` file or disabling the SRTP functionality until a patch is applied. Avoid using the SRTP protocol in sensitive environments until the issue is resolved.