CVE-2021-41158

Name of the Vulnerable Software and Affected Versions FreeSWITCH versions prior to 1.10.7

Description The issue allows an attacker to perform a SIP digest leak attack against FreeSWITCH, potentially recovering gateway passwords by exploiting the challenge response of a gateway configured on the FreeSWITCH server. This is done by challenging FreeSWITCH's SIP requests with the realm set to that of the gateway, forcing FreeSWITCH to respond with the challenge response based on the password of the targeted gateway. The attacker does not require special network privileges to exploit this issue, but rather the ability to cause the victim server to send SIP request messages to the malicious party and specify the correct realm, which might be considered secret but can easily be retrieved since many gateways are public. The vulnerability appears to be due to the code handling challenges in sofia reg.c, sofia reg handle sip r challenge(), which does not check if the challenge originates from the actual gateway, allowing arbitrary UACs and gateways to challenge any request sent by FreeSWITCH with the realm of the targeted gateway.

Recommendations To resolve the issue, update to version 1.10.7 or later. As a temporary workaround, consider creating an association between a SIP session for each gateway and its realm to make a check be put into place for this association when responding to challenges. Restrict access to the sofia reg.c module and the sofia reg handle sip r challenge() function to minimize the risk of exploitation. Avoid using the realm parameter in SIP requests until the issue is resolved.