CVE-2021-37624

Name of the Vulnerable Software and Affected Versions FreeSWITCH versions prior to 1.10.7

Description The issue concerns the lack of authentication for SIP MESSAGE requests in FreeSWITCH, leading to potential spam and message spoofing. By default, SIP requests of the type MESSAGE are not authenticated, allowing attackers to send messages to any SIP user agent registered with the server without requiring authentication. This can enable social engineering, phishing, and similar attacks. The maintainers recommend that this SIP message type be authenticated by default.

Recommendations For versions prior to 1.10.7, update to version 1.10.7 to resolve the issue. As a temporary workaround, consider setting the auth-messages parameter to true to enable authentication for SIP MESSAGE requests. Restrict access to the SIP MESSAGE endpoint to minimize the risk of exploitation. Avoid relying on the default setting and explicitly configure authentication for SIP MESSAGE requests.