Description
There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:
- FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary
telecom switches to a software implementation that runs on any commodity hardware. Prior to version
1.10.7, FreeSWITCH does not authenticate SIP MESSAGE requests, leading to spam and message spoofing. By
default, SIP requests of the type MESSAGE (RFC 3428) are not authenticated in the affected versions of
FreeSWITCH. MESSAGE requests are relayed to SIP user agents registered with the FreeSWITCH server without
requiring any authentication. Although this behaviour can be changed by setting the `auth-messages`
parameter to `true`, it is not the default setting. Abuse of this security issue allows attackers to send
SIP MESSAGE messages to any SIP user agent that is registered with the server without requiring
authentication. Additionally, since no authentication is required, chat messages can be spoofed to appear
to come from trusted entities. Therefore, abuse can lead to spam and enable social engineering, phishing
and similar attacks. This issue is patched in version 1.10.7. Maintainers recommend that this SIP message
type is authenticated by default so that FreeSWITCH administrators do not need to be explicitly set the
`auth-messages` parameter. When following such a recommendation, a new parameter can be introduced to
explicitly disable authentication. (CVE-2021-37624)
- FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary
telecom switches to a software implementation that runs on any commodity hardware. When handling SRTP
calls, FreeSWITCH prior to version 1.10.7 is susceptible to a DoS where calls can be terminated by remote
attackers. This attack can be done continuously, thus denying encrypted calls during the attack. When a
media port that is handling SRTP traffic is flooded with a specially crafted SRTP packet, the call is
terminated leading to denial of service. This issue was reproduced when using the SDES key exchange
mechanism in a SIP environment as well as when using the DTLS key exchange mechanism in a WebRTC
environment. The call disconnection occurs due to line 6331 in the source file `switch_rtp.c`, which
disconnects the call when the total number of SRTP errors reach a hard-coded threshold (100). By abusing
this vulnerability, an attacker is able to disconnect any ongoing calls that are using SRTP. The attack
does not require authentication or any special foothold in the caller's or the callee's network. This
issue is patched in version 1.10.7. (CVE-2021-41105)
- FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary
telecom switches to a software implementation that runs on any commodity hardware. FreeSWITCH prior to
version 1.10.7 is susceptible to Denial of Service via SIP flooding. When flooding FreeSWITCH with SIP
messages, it was observed that after a number of seconds the process was killed by the operating system
due to memory exhaustion. By abusing this vulnerability, an attacker is able to crash any FreeSWITCH
instance by flooding it with SIP messages, leading to Denial of Service. The attack does not require
authentication and can be carried out over UDP, TCP or TLS. This issue was patched in version 1.10.7.
(CVE-2021-41145)
- FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary
telecom switches to a software implementation that runs on any commodity hardware. By default, SIP
requests of the type SUBSCRIBE are not authenticated in the affected versions of FreeSWITCH. Abuse of this
security issue allows attackers to subscribe to user agent event notifications without the need to
authenticate. This abuse poses privacy concerns and might lead to social engineering or similar attacks.
For example, attackers may be able to monitor the status of target SIP extensions. Although this issue was
fixed in version v1.10.6, installations upgraded to the fixed version of FreeSWITCH from an older version,
may still be vulnerable if the configuration is not updated accordingly. Software upgrades do not update
the configuration by default. SIP SUBSCRIBE messages should be authenticated by default so that FreeSWITCH
administrators do not need to explicitly set the `auth-subscriptions` parameter. When following such a
recommendation, a new parameter can be introduced to explicitly disable authentication. (CVE-2021-41157)
- FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary
telecom switches to a software implementation that runs on any commodity hardware. Prior to version
1.10.7, an attacker can perform a SIP digest leak attack against FreeSWITCH and receive the challenge
response of a gateway configured on the FreeSWITCH server. This is done by challenging FreeSWITCH's SIP
requests with the realm set to that of the gateway, thus forcing FreeSWITCH to respond with the challenge
response which is based on the password of that targeted gateway. Abuse of this vulnerability allows
attackers to potentially recover gateway passwords by performing a fast offline password cracking attack
on the challenge response. The attacker does not require special network privileges, such as the ability
to sniff the FreeSWITCH's network traffic, to exploit this issue. Instead, what is required for this
attack to work is the ability to cause the victim server to send SIP request messages to the malicious
party. Additionally, to exploit this issue, the attacker needs to specify the correct realm which might in
some cases be considered secret. However, because many gateways are actually public, this information can
easily be retrieved. The vulnerability appears to be due to the code which handles challenges in
`sofia_reg.c`, `sofia_reg_handle_sip_r_challenge()` which does not check if the challenge is originating
from the actual gateway. The lack of these checks allows arbitrary UACs (and gateways) to challenge any
request sent by FreeSWITCH with the realm of the gateway being targeted. This issue is patched in version
10.10.7. Maintainers recommend that one should create an association between a SIP session for each
gateway and its realm to make a check be put into place for this association when responding to
challenges. (CVE-2021-41158)
Plugin Details
Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
Exploit Ease: Exploits are available
Vulnerability Publication Date: 10/25/2021