CVE-2023-40019

FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names. When a call in FreeSWITCH completes codec negotiation, the `codec_string` channel variable is set with the result of the negotiation. On a subsequent re-negotiation, if an SDP is offered that contains codecs with the same names but with different formats, there may be too many codec matches detected by FreeSWITCH leading to overflows of its internal arrays. By abusing this vulnerability, an attacker is able to corrupt stack of FreeSWITCH leading to an undefined behavior of the system or simply crash it. Version 1.10.10 contains a patch for this issue.

FreeSWITCH es una pila de telecomunicaciones definida por software que permite la transformación digital de switches de telecomunicaciones propietarios a una implementación de software que se ejecuta en cualquier hardware básico. Antes de la versión 1.10.10, FreeSWITCH permitía a los usuarios autorizados provocar un ataque de denegación de servicio enviando un nuevo INVITE con SDP que contenía nombres de códec duplicados. Cuando una llamada en FreeSWITCH completa la negociación del códec, la variable de canal `codec_string` se configura con el resultado de la negociación. En una renegociación posterior, si se ofrece un SDP que contiene códecs con los mismos nombres pero con diferentes formatos, es posible que FreeSWITCH detecte demasiadas coincidencias de códecs, lo que provocará desbordamientos de sus matrices internas. Al abusar de esta vulnerabilidad, un atacante puede corromper la pila de FreeSWITCH, lo que provoca un comportamiento indefinido del sistema o simplemente bloquearlo. La versión 1.10.10 contiene un parche para este problema.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-08-08 CVE Reserved
2023-09-15 CVE Published
2024-09-21 EPSS Updated
2024-09-25 CVE Updated
2024-09-25 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-770: Allocation of Resources Without Limits or Throttling

CAPEC

References (2)

URL	Tag	Source
https://github.com/signalwire/freeswitch/releases/tag/v1.10.10	Release Notes

URL	Date	SRC
https://github.com/signalwire/freeswitch/security/advisories/GHSA-gjj5-79p2-9g3q	2024-09-25

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Freeswitch Search vendor "Freeswitch"		Freeswitch Search vendor "Freeswitch" for product "Freeswitch"				< 1.10.10 Search vendor "Freeswitch" for product "Freeswitch" and version " < 1.10.10"		-		Affected