CVE-2021-41157

Name of the Vulnerable Software and Affected Versions FreeSWITCH versions prior to v1.10.6

Description The issue concerns the lack of authentication for SIP requests of the type SUBSCRIBE in FreeSWITCH. This allows attackers to subscribe to user agent event notifications without authentication, posing privacy concerns and potentially leading to social engineering attacks. For example, attackers may be able to monitor the status of target SIP extensions. SIP SUBSCRIBE messages should be authenticated by default, and FreeSWITCH administrators should not need to explicitly set the auth-subscriptions parameter.

Recommendations For versions prior to v1.10.6, update to version v1.10.6 or later and ensure the configuration is updated accordingly, as software upgrades do not update the configuration by default. As a temporary workaround, consider setting the auth-subscriptions parameter to enable authentication for SIP SUBSCRIBE messages.