Staying alert of opensips vulnerabilities (16th Mar 2023)

Preface: SIP protocol take the stage of traditional telephony system. We cannot lack of this protocol today.

Background: The Session Initiation Protocol is a signaling protocol that enables the Voice Over Internet Protocol (VoIP) by defining the messages sent between endpoints and managing the actual elements of a call. SIP supports voice calls, video conferencing, instant messaging, and media distribution.
OpenSIPS is used by telecom operators, enterprises and network operators. OpenSIPS is essentially a SIP proxy server. Relevant only to signaling, OpenSIPS is a multipurpose, multifunctional SIP server that can be used as: A switch. router.

Found vulnerabilities on openSIPS, offical developer conduct demon found the symptoms. However, I observed that the msg_parser[.]c has it own design weakness. When it run in switch mode, pkg_malloc may provide way to the attacker do the exploitation.
Whether the attacker can exploit SIP Header Manipulation . SIP Header Manipulation allows you to automatically modify the user fields in a SIP INVITE.
For reference (below) and refer to attached picture.
if header-field well-known, parse it, find its end otherwise ;
– after leaving the hdr->type switch, tmp should be set to the next header field

Vulnerability details:
CVE-2023-28096 – A memory leak was detected in the function parse_mi_request while performing coverage-guided fuzzing. moderate severity 4.5
CVE-2023-27596 – OpenSIPS crashes when a malformed SDP body is sent multiple times to an OpenSIPS configuration that makes use of the stream_process function.
This issue was discovered during coverage guided fuzzing of the function codec_delete_except_re.
CVE-2023-28097 – A malformed SIP message containing a large Content-Length value and a specially crafted Request-URI causes a segmentation fault in OpenSIPS.
CVE-2023-27597 – When a specially crafted SIP message is processed by the function rewrite_ruri, a crash occurs due to a segmentation fault.
CVE-2023-27598 – Sending a malformed Via header to OpenSIPS triggers a segmentation fault when the function calc_tag_suffix is called. A specially crafted Via header which is deemed correct by the parser, will pass uninitialized strings to the function MD5StringArray which leads to the crash.
Please refer to this link for details – https://github.com/OpenSIPS/opensips/security/advisories?state=published

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.