CVE-2023-27596

Name of the Vulnerable Software and Affected Versions OpenSIPS versions prior to 3.1.8 and 3.2.5

Description OpenSIPS is a Session Initiation Protocol (SIP) server implementation. The issue arises when a malformed SDP body is sent multiple times to an OpenSIPS configuration that uses the stream process function. This was discovered during coverage guided fuzzing of the codec delete except re function. An attacker can crash the server by exploiting this issue, which affects configurations containing functions that rely on the affected code, such as codec delete except re.

Recommendations For versions prior to 3.1.8, update to version 3.1.8 or later. For versions prior to 3.2.5, update to version 3.2.5 or later. As a temporary workaround, consider disabling the stream process function until a patch is available. Restrict access to configurations containing functions that rely on the affected code, such as codec delete except re, to minimize the risk of exploitation.