Sandro Gauci

**Name of the Vulnerable Software and Affected Versions** rtpengine versions through mr13.3.1.4 **Description** rtpengine is susceptible to RTP injection and media redirection, potentially leading to a denial-of-service (DoS) condition. RTP bleed allows an attacker to redirect a victim’s media, such as audio, to a host controlled by the attacker. RTP inject enables attackers to insert arbitrary RTP packets into active calls. **Recommendations** Versions prior to mr13.3.2 should be updated.

**Name of the Vulnerable Software and Affected Versions** OpenSIPS versions prior to 3.1.9 and 3.2.6 **Description** OpenSIPS is a Session Initiation Protocol (SIP) server implementation. A malformed SIP message containing a large `Content-Length` value and a specially crafted Request-URI causes a segmentation fault in OpenSIPS. This issue occurs when a large amount of shared memory using the `-m` flag was allocated to OpenSIPS. The only workaround is to guarantee that the `Content-Length` value of input messages is never larger than `2147483647`. **Recommendations** For versions prior to 3.1.9, update to version 3.1.9 or later. For versions prior to 3.2.6, update to version 3.2.6 or later. As a temporary workaround, consider guaranteeing that the `Content-Length` value of input messages is never larger than `2147483647` until a patch is available.

**Name of the Vulnerable Software and Affected Versions** OpenSIPS versions prior to 3.1.7 OpenSIPS versions prior to 3.2.4 **Description** OpenSIPS is a Session Initiation Protocol (SIP) server implementation. The issue is located in `msg translator.c:2628` and might lead to a server crash. This issue was found while fuzzing the function `build res buf from sip req` but could not be reproduced against a running instance of OpenSIPS. It is highly unlikely that this issue would lead to anything other than Denial of Service, even in the case of exploitation through unknown vectors. **Recommendations** For versions prior to 3.1.7, update to version 3.1.7 or later. For versions prior to 3.2.4, update to version 3.2.4 or later.

**Name of the Vulnerable Software and Affected Versions** OpenSIPS versions prior to 3.1.7 and 3.2.4 **Description** OpenSIPS is a Session Initiation Protocol (SIP) server implementation. The issue arises when a malformed SDP body is received and processed by the `delete sdp line` function in the sipmsgops module. This can be reproduced by calling the function with an SDP body that does not terminate with a line feed (i.e., ` `). The vulnerability was discovered through black-box fuzzing and coverage-guided fuzzing on the `codec delete except re` function. The crash occurs because the `delete sdp line` function expects an SDP line to be terminated by a line feed (` `). An attacker can exploit this to crash the server, affecting configurations that rely on the affected code, such as the `codec delete except re` function. Exploitation results in a Denial of Service due to an `abort` in the lumps processing function. **Recommendations** To resolve the issue, update to version 3.1.7 or 3.2.4, as these versions have fixed the issue. As a temporary workaround, consider restricting the use of the `delete sdp line` function in the sipmsgops module until a patch is available. Avoid using configurations that rely on the affected code, such as the `codec delete except re` function, until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenSIPS versions prior to 3.1.7 and 3.2.4 **Description** OpenSIPS is a Session Initiation Protocol (SIP) server implementation. The issue arises when a malformed SDP body is received and processed by the `delete sdp line` function in the sipmsgops module. This can be reproduced by calling the function with an SDP body that does not terminate with a line feed (i.e., ` `). The vulnerability was discovered through black-box fuzzing and coverage-guided fuzzing on the `codec delete except re` function. The crash occurs because the `delete sdp line` function expects an SDP line to be terminated by a line feed (` `). An attacker can exploit this to crash the server, affecting configurations that rely on the affected code, such as the `codec delete except re` function. Exploitation results in a Denial of Service due to an `abort` in the lumps processing function. **Recommendations** To resolve the issue, update to version 3.1.7 or 3.2.4, as these versions include the patch for this vulnerability. As a temporary workaround, consider restricting access to the `delete sdp line` function in the sipmsgops module until the update can be applied. Additionally, configurations containing functions that rely on the affected code, such as `codec delete except re`, should be reviewed to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenSIPS versions prior to 3.1.7 and 3.2.4 **Description** OpenSIPS is a Session Initiation Protocol (SIP) server implementation. When the function `append hf` handles a SIP message with a malformed To header, a call to the function `abort()` is performed, resulting in a crash. This is due to the check in `data lump.c:399` in the function `anchor lump`. An attacker abusing this issue will crash OpenSIPS leading to Denial of Service. It affects configurations containing functions that make use of the affected code, such as the function `append hf`. **Recommendations** For versions prior to 3.1.7, update to version 3.1.7 or later. For versions prior to 3.2.4, update to version 3.2.4 or later. As a temporary workaround, consider disabling the `append hf` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** OpenSIPS versions prior to 3.1.7 and 3.2.4 **Description** OpenSIPS is a Session Initiation Protocol (SIP) server implementation. Sending a malformed `Via` header to OpenSIPS triggers a segmentation fault when the function `calc tag suffix` is called. A specially crafted `Via` header, which is deemed correct by the parser, will pass uninitialized strings to the function `MD5StringArray` which leads to the crash. Abuse of this issue leads to Denial of Service due to a crash. Since the uninitialized string points to memory location `0x0`, no further exploitation appears to be possible. No special network privileges are required to perform this attack, as long as the OpenSIPS configuration makes use of functions such as `sl send reply` or `sl gen totag` that trigger the vulnerable code. **Recommendations** For OpenSIPS versions prior to 3.1.7, update to version 3.1.7 or later. For OpenSIPS versions prior to 3.2.4, update to version 3.2.4 or later. As a temporary workaround, consider restricting the use of functions such as `sl send reply` or `sl gen totag` that trigger the vulnerable code until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** FreeSWITCH versions prior to 1.10.7 **Description** The issue allows an attacker to perform a SIP digest leak attack against FreeSWITCH, potentially recovering gateway passwords by exploiting the challenge response of a gateway configured on the FreeSWITCH server. This is done by challenging FreeSWITCH's SIP requests with the realm set to that of the gateway, forcing FreeSWITCH to respond with the challenge response based on the password of the targeted gateway. The attacker does not require special network privileges to exploit this issue, but rather the ability to cause the victim server to send SIP request messages to the malicious party and specify the correct realm, which might be considered secret but can easily be retrieved since many gateways are public. The vulnerability appears to be due to the code handling challenges in `sofia reg.c`, `sofia reg handle sip r challenge()`, which does not check if the challenge originates from the actual gateway, allowing arbitrary UACs and gateways to challenge any request sent by FreeSWITCH with the realm of the targeted gateway. **Recommendations** To resolve the issue, update to version 1.10.7 or later. As a temporary workaround, consider creating an association between a SIP session for each gateway and its realm to make a check be put into place for this association when responding to challenges. Restrict access to the `sofia reg.c` module and the `sofia reg handle sip r challenge()` function to minimize the risk of exploitation. Avoid using the `realm` parameter in SIP requests until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FreeSWITCH versions prior to v1.10.6 **Description** The issue concerns the lack of authentication for SIP requests of the type SUBSCRIBE in FreeSWITCH. This allows attackers to subscribe to user agent event notifications without authentication, posing privacy concerns and potentially leading to social engineering attacks. For example, attackers may be able to monitor the status of target SIP extensions. SIP SUBSCRIBE messages should be authenticated by default, and FreeSWITCH administrators should not need to explicitly set the `auth-subscriptions` parameter. **Recommendations** For versions prior to v1.10.6, update to version v1.10.6 or later and ensure the configuration is updated accordingly, as software upgrades do not update the configuration by default. As a temporary workaround, consider setting the `auth-subscriptions` parameter to enable authentication for SIP SUBSCRIBE messages.

**Name of the Vulnerable Software and Affected Versions** Asterisk Open Source versions 13.x through 13.37.0 Asterisk Open Source versions 16.x through 16.14.0 Asterisk Open Source versions 17.x through 17.8.0 Asterisk Open Source versions 18.x through 18.0.0 Certified Asterisk versions prior to 16.8-cert5 **Description** A crash in the res pjsip session module was discovered. Upon receiving a new SIP Invite, Asterisk did not return the created dialog locked or referenced, causing a gap between the creation of the dialog object and its next use. This gap allowed another thread to free the dialog, leading to a crash when the dialog object or its dependent objects were accessed. The crash can only occur when using a connection-oriented protocol (e.g., TCP or TLS) for SIP transport and the remote client is authenticated or Asterisk is configured for anonymous calling. **Recommendations** For Asterisk Open Source versions 13.x through 13.37.0, update to version 13.37.1 or later. For Asterisk Open Source versions 16.x through 16.14.0, update to version 16.14.1 or later. For Asterisk Open Source versions 17.x through 17.8.0, update to version 17.8.1 or later. For Asterisk Open Source versions 18.x through 18.0.0, update to version 18.0.1 or later. For Certified Asterisk versions prior to 16.8-cert5, update to version 16.8-cert5 or later.

**Name of the Vulnerable Software and Affected Versions** Gizmo5 software phone (affected versions not specified) **Description** The SIP implementation provides hashed credentials in a response to an invalid authentication challenge, making it easier for remote attackers to obtain access via a brute-force attack, related to a "SIP Digest Leak" issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linksys SPA2102 phone adapter (affected versions not specified) **Description** The SIP implementation provides hashed credentials in a response to an invalid authentication challenge, making it easier for remote attackers to obtain access via a brute-force attack, related to a "SIP Digest Leak" issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PhonerLite versions prior to 2.15 **Description** The issue allows remote attackers to obtain access via a brute-force attack due to the provision of hashed credentials in response to an invalid authentication challenge, related to a "SIP Digest Leak" issue. **Recommendations** For versions prior to 2.15, update to version 2.15 or later to resolve the issue. As a temporary workaround, consider restricting access to the SIP authentication mechanism to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Kamailio versions prior to 4.4.7 Kamailio versions 5.0.x prior to 5.0.6 Kamailio versions 5.1.x prior to 5.1.2 **Description** A Buffer Overflow issue was discovered. A specially crafted REGISTER message with a malformed branch or From tag triggers an off-by-one heap-based buffer overflow in the `tmx check pretran` function. **Recommendations** For versions prior to 4.4.7, update to version 4.4.7 or later. For versions 5.0.x prior to 5.0.6, update to version 5.0.6 or later. For versions 5.1.x prior to 5.1.2, update to version 5.1.2 or later.

**Name of the Vulnerable Software and Affected Versions** Asterisk versions 13.19.1 and earlier, 14.x through 14.7.5, and 15.x through 15.2.1 Certified Asterisk versions 13.18-cert2 and earlier **Description** A Buffer Overflow issue was discovered in the processing of a SUBSCRIBE request by the res pjsip pubsub module. The module stores accepted formats from the Accept headers of the request but does not limit the number of headers it processes, despite a fixed limit of 32. If more than 32 Accept headers are present, the code writes outside of its memory, causing a crash. **Recommendations** For Asterisk versions 13.19.1 and earlier, update to a version later than 13.19.1 to resolve the issue. For Asterisk versions 14.x through 14.7.5, update to a version later than 14.7.5. For Asterisk versions 15.x through 15.2.1, update to a version later than 15.2.1. For Certified Asterisk versions 13.18-cert2 and earlier, update to a version later than 13.18-cert2. As a temporary workaround, consider restricting access to the res pjsip pubsub module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Asterisk versions 13.19.1 and earlier, 14.x through 14.7.5, and 15.x through 15.2.1 Certified Asterisk versions 13.18-cert2 and earlier **Description** An issue allows remote authenticated users to crash Asterisk by sending a number of SIP INVITE messages on a TCP or TLS connection and then suddenly closing the connection, resulting in a segmentation fault. **Recommendations** For Asterisk versions 13.19.1 and earlier, consider restricting access to the `res pjsip` module to minimize the risk of exploitation until a patch is available. For Asterisk versions 14.x through 14.7.5, restrict the use of SIP INVITE messages on TCP or TLS connections to prevent crashes. For Asterisk versions 15.x through 15.2.1, avoid sudden closure of TCP or TLS connections after sending SIP INVITE messages. For Certified Asterisk versions 13.18-cert2 and earlier, temporarily disable the `res pjsip` module to prevent crashes until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Asterisk versions 11.x through 11.25.1 Asterisk versions 13.x through 13.17.0 Asterisk versions 14.x through 14.6.0 Certified Asterisk versions 11.x through 11.6-cert16 Certified Asterisk versions 13.x through 13.13-cert4 **Description** The issue allows unauthorized data disclosure, specifically media takeover in the RTP stack, with careful timing by an attacker. The "strictrtp" option in rtp.conf, enabled by default in Asterisk 11 and above, learns the source address of media for a session and drops any packets that do not originate from the expected address. However, when combined with symmetric RTP support, enabled through the "nat" and "rtp symmetric" options, a change in the strict RTP support introduced an avenue for media hijacking. This occurs when a flood of RTP traffic is received, allowing a new source address to be learned and used for outgoing traffic, thus hijacking the media. **Recommendations** For Asterisk versions 11.x through 11.25.1, update to version 11.25.2 or later. For Asterisk versions 13.x through 13.17.0, update to version 13.17.1 or later. For Asterisk versions 14.x through 14.6.0, update to version 14.6.1 or later. For Certified Asterisk versions 11.x through 11.6-cert16, update to version 11.6-cert17 or later. For Certified Asterisk versions 13.x through 13.13-cert4, update to version 13.13-cert5 or later.

**Name of the Vulnerable Software and Affected Versions** RTPproxy versions prior to 2.2.alpha.20160823 **Description** The issue allows remote attackers to obtain sensitive information or cause a denial of service via crafted RTP packets, due to a NAT feature not properly determining the IP address and port number of the legitimate recipient of RTP traffic. **Recommendations** For versions prior to 2.2.alpha.20160823, update to a version that fixes this issue to prevent remote attackers from obtaining sensitive information or causing a denial of service.

**Name of the Vulnerable Software and Affected Versions** Asterisk Open Source versions 13.x through 13.15.0 Asterisk Open Source versions 14.x through 14.4.0 Certified Asterisk versions 13.13 through 13.13-cert3 **Description** The issue allows remote attackers to cause a denial of service, resulting in an out-of-bounds read and application crash, via a crafted packet. This is due to a problem in the multi-part body parser in PJSIP. **Recommendations** For Asterisk Open Source versions 13.x through 13.15.0, update to version 13.15.1 or later. For Asterisk Open Source versions 14.x through 14.4.0, update to version 14.4.1 or later. For Certified Asterisk versions 13.13 through 13.13-cert3, update to version 13.13-cert4 or later.

**Name of the Vulnerable Software and Affected Versions** Asterisk Open Source versions 13.x through 13.15.0 Asterisk Open Source versions 14.x through 14.4.0 Certified Asterisk versions 13.13 through 13.13-cert3 **Description** A memory exhaustion issue exists, which can be triggered by sending specially crafted SCCP packets, causing an infinite loop and leading to memory exhaustion due to message logging in that loop. **Recommendations** For Asterisk Open Source versions 13.x through 13.15.0, update to version 13.15.1 or later. For Asterisk Open Source versions 14.x through 14.4.0, update to version 14.4.1 or later. For Certified Asterisk versions 13.13 through 13.13-cert3, update to version 13.13-cert4 or later.