CVE-2023-40018

Name of the Vulnerable Software and Affected Versions FreeSWITCH versions prior to 1.10.10

Description FreeSWITCH is a Software Defined Telecom Stack that enables digital transformation from proprietary telecom switches to a software implementation. The issue allows remote users to trigger an out of bounds write by offering an ICE candidate with an unknown component ID. When an SDP is offered with any ICE candidates with an unknown component ID, FreeSWITCH will make an out of bounds write to its arrays. This can lead to corruption of FreeSWITCH memory, resulting in undefined behavior of the system or a crash.

Recommendations For versions prior to 1.10.10, update to version 1.10.10 to resolve the issue. As a temporary workaround, consider restricting the handling of ICE candidates with unknown component IDs to minimize the risk of exploitation.