CVE-2023-28098

Name of the Vulnerable Software and Affected Versions OpenSIPS versions prior to 3.1.7 OpenSIPS versions prior to 3.2.4

Description OpenSIPS is a Session Initiation Protocol (SIP) server implementation. A specially crafted Authorization header causes OpenSIPS to crash or behave in an unexpected way due to a bug in the function parse param name(). This issue was discovered while performing coverage guided fuzzing of the function parse msg. The AddressSanitizer identified that the issue occurred in the function q memchr() which is being called by the function parse param name(). This issue may cause erratic program behaviour or a server crash. It affects configurations containing functions that make use of the affected code, such as the function www authorize().

Recommendations For versions prior to 3.1.7, update to version 3.1.7 or later. For versions prior to 3.2.4, update to version 3.2.4 or later. As a temporary workaround, consider disabling the www authorize() function until a patch is available. Restrict access to configurations containing functions that make use of the affected code to minimize the risk of exploitation.