CVE-2020-15260

Name of the Vulnerable Software and Affected Versions PJSIP versions 2.10 and earlier

Description PJSIP is a free and open source multimedia communication library that implements standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. The library has a vulnerability that allows for insecure interaction without user awareness. This occurs because PJSIP transport can be reused if they have the same IP address + port + protocol, but it lacks remote hostname authentication. For example, if a TLS connection is created to sip.foo.com with an IP address 100.1.1.1, and then a connection is attempted to sip.bar.com with the same IP address, the existing connection will be reused, even though 100.1.1.1 does not have a certificate to authenticate as sip.bar.com. This vulnerability affects users who need access to connections to different destinations that translate to the same address and allows for man-in-the-middle attacks if an attacker can route a connection to another destination, such as in the case of DNS spoofing.

Recommendations For PJSIP versions 2.10 and earlier, consider disabling the reuse of existing connections to prevent insecure interactions. As a temporary workaround, restrict access to connections that translate to the same IP address to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.