CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2023-51443 – FreeSWITCH susceptible to Denial of Service via DTLS Hello packets during call initiation
https://notcve.org/view.php?id=CVE-2023-51443
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.11, when handling DTLS-SRTP for media setup, FreeSWITCH is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. If an attacker manages to send a ClientHello DTLS message with an invalid CipherSuite (such as `TLS_NULL_WITH_NULL_NULL`) to the port on the FreeSWITCH server that is expecting packets from the caller, a DTLS error is generated. This results in the media session being torn down, which is followed by teardown at signaling (SIP) level too. • http://packetstormsecurity.com/files/176393/FreeSWITCH-Denial-Of-Service.html https://github.com/signalwire/freeswitch/commit/86cbda90b84ba186e508fbc7bfae469270a97d11 https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6 • CWE-703: Improper Check or Handling of Exceptional Conditions •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-40019 – FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names
https://notcve.org/view.php?id=CVE-2023-40019
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names. When a call in FreeSWITCH completes codec negotiation, the `codec_string` channel variable is set with the result of the negotiation. On a subsequent re-negotiation, if an SDP is offered that contains codecs with the same names but with different formats, there may be too many codec matches detected by FreeSWITCH leading to overflows of its internal arrays. By abusing this vulnerability, an attacker is able to corrupt stack of FreeSWITCH leading to an undefined behavior of the system or simply crash it. • https://github.com/signalwire/freeswitch/releases/tag/v1.10.10 https://github.com/signalwire/freeswitch/security/advisories/GHSA-gjj5-79p2-9g3q • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40018 – FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID
https://notcve.org/view.php?id=CVE-2023-40018
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID. When an SDP is offered with any ICE candidates with an unknown component ID, FreeSWITCH will make an out of bounds write to its arrays. By abusing this vulnerability, an attacker is able to corrupt FreeSWITCH memory leading to an undefined behavior of the system or a crash of it. Version 1.10.10 contains a patch for this issue. • https://github.com/signalwire/freeswitch/releases/tag/v1.10.10 https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3 • CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2021-41105 – FreeSWITCH susceptible to Denial of Service via invalid SRTP packets
https://notcve.org/view.php?id=CVE-2021-41105
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. When handling SRTP calls, FreeSWITCH prior to version 1.10.7 is susceptible to a DoS where calls can be terminated by remote attackers. This attack can be done continuously, thus denying encrypted calls during the attack. When a media port that is handling SRTP traffic is flooded with a specially crafted SRTP packet, the call is terminated leading to denial of service. This issue was reproduced when using the SDES key exchange mechanism in a SIP environment as well as when using the DTLS key exchange mechanism in a WebRTC environment. • http://seclists.org/fulldisclosure/2021/Oct/43 https://github.com/signalwire/freeswitch/releases/tag/v1.10.7 https://github.com/signalwire/freeswitch/security/advisories/GHSA-jh42-prph-gp36 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2021-41157 – FreeSWITCH does not authenticate SIP SUBSCRIBE requests by default
https://notcve.org/view.php?id=CVE-2021-41157
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. By default, SIP requests of the type SUBSCRIBE are not authenticated in the affected versions of FreeSWITCH. Abuse of this security issue allows attackers to subscribe to user agent event notifications without the need to authenticate. This abuse poses privacy concerns and might lead to social engineering or similar attacks. For example, attackers may be able to monitor the status of target SIP extensions. • http://seclists.org/fulldisclosure/2021/Oct/41 https://github.com/signalwire/freeswitch/commit/b21dd4e7f3a6f1d5f7be3ea500a319a5bc11db9e https://github.com/signalwire/freeswitch/releases/tag/v1.10.6 https://github.com/signalwire/freeswitch/security/advisories/GHSA-g7xg-7c54-rmpj • CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function •