ubuntu-cve-2023-27598
Vulnerability from osv_ubuntu
Published
2023-03-15 21:15
Modified
2025-10-24 05:01
Summary
Details

OpenSIPS is a Session Initiation Protocol (SIP) server implementation. Prior to versions 3.1.7 and 3.2.4, sending a malformed Via header to OpenSIPS triggers a segmentation fault when the function calc_tag_suffix is called. A specially crafted Via header, which is deemed correct by the parser, will pass uninitialized strings to the function MD5StringArray which leads to the crash. Abuse of this vulnerability leads to Denial of Service due to a crash. Since the uninitialized string points to memory location 0x0, no further exploitation appears to be possible. No special network privileges are required to perform this attack, as long as the OpenSIPS configuration makes use of functions such as sl_send_reply or sl_gen_totag that trigger the vulnerable code. This issue has been fixed in versions 3.1.7 and 3.2.4.


{
  "affected": [
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "opensips",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-b2bua-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-berkeley-bin",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-berkeley-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-carrierroute-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-compression-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-console",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-cpl-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-dbhttp-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-dialplan-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-emergency-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-geoip-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-http-modules",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-identity-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-jabber-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-json-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-ldap-modules",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-lua-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-memcached-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-mysql-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-perl-modules",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-postgres-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-presence-modules",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-rabbitmq-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-radius-modules",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-redis-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-regex-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-restclient-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-sctp-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-snmpstats-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-sqlite-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-tls-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-tlsmgm-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-unixodbc-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-wss-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-xmlrpc-module",
            "binary_version": "2.2.2-3build4"
          },
          {
            "binary_name": "opensips-xmpp-module",
            "binary_version": "2.2.2-3build4"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:18.04:LTS",
        "name": "opensips",
        "purl": "pkg:deb/ubuntu/opensips@2.2.2-3build4?arch=source\u0026distro=bionic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.2.2-3build2",
        "2.2.2-3build3",
        "2.2.2-3build4"
      ]
    }
  ],
  "aliases": [],
  "details": "OpenSIPS is a Session Initiation Protocol (SIP) server implementation. Prior to versions 3.1.7 and 3.2.4, sending a malformed `Via` header to OpenSIPS triggers a segmentation fault when the function `calc_tag_suffix` is called. A specially crafted `Via` header, which is deemed correct by the parser, will pass uninitialized strings to the function `MD5StringArray` which leads to the crash. Abuse of this vulnerability leads to Denial of Service due to a crash. Since the uninitialized string points to memory location `0x0`, no further exploitation appears to be possible. No special network privileges are required to perform this attack, as long as the OpenSIPS configuration makes use of functions such as `sl_send_reply` or `sl_gen_totag` that trigger the vulnerable code. This issue has been fixed in versions 3.1.7 and 3.2.4.",
  "id": "UBUNTU-CVE-2023-27598",
  "modified": "2025-10-24T05:01:52Z",
  "published": "2023-03-15T21:15:00Z",
  "references": [
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2023-27598"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/OpenSIPS/opensips/commit/ab611f74f69d9c42be5401c40d56ea06a58f5dd7"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/OpenSIPS/opensips/security/advisories/GHSA-wxfg-3gwh-rhvx"
    },
    {
      "type": "REPORT",
      "url": "https://opensips.org/pub/audit-2022/opensips-audit-technical-report-full.pdf"
    },
    {
      "type": "REPORT",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-27598"
    }
  ],
  "related": [],
  "schema_version": "1.7.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "medium",
      "type": "Ubuntu"
    }
  ],
  "upstream": [
    "CVE-2023-27598"
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…