cbcvebase.
CVE-2018-12584
published 2018-07-16

CVE-2018-12584: The ConnectionBase::preparseNewBytes function in resip/stack/ConnectionBase.cxx in reSIProcate through 1.10.2 allows remote attackers to cause a denial of…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
24.59%
97.6th percentile
The ConnectionBase::preparseNewBytes function in resip/stack/ConnectionBase.cxx in reSIProcate through 1.10.2 allows remote attackers to cause a denial of service (buffer overflow) or possibly execute arbitrary code when TLS communication is enabled.

Affected

3 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
resiprocateresiprocate<= 1.10.2

Detection & IOCsextracted from sources · hover to see the quote

pathresip/stack/ConnectionBase.cxx
port5061
commandREGISTER sip:<server> SIP/2.0\r\nVia: SIP/2.0/TCP <via>\r\nContact: \r\nTo: \r\nFrom: \r\nCSeq: <n> REGISTER\r\nExpires: 600\r\nContent-Length: 100\r\n\r\n
commandSIP/2.0 200 OK with Content-Length: 100 followed by oversized body (100*'A' + 64*'B')
  • Trigger condition: TLS SIP message (REGISTER or response) sent with a Content-Length value lower than the actual body length that follows in a subsequent TLS packet. Detect anomalous Content-Length vs. actual body size mismatch on TLS port 5061.
  • The vulnerability is only exploitable over TLS (port 5061); TCP transport does not trigger the overflow. Focus TLS SIP inspection on ConnectionBase::preparseNewBytes call path.
  • No SIP authentication is required to trigger the vulnerability; unauthenticated REGISTER or SUBSCRIBE requests over TLS to port 5061 with mismatched Content-Length should be flagged.
  • Client-side exploitation vector: a malicious SIP server can trigger the overflow in reSIProcate-based clients by responding to a SUBSCRIBE request with a 200 OK containing a Content-Length smaller than the body sent.
  • ·The heap overflow is only reachable when TLS is enabled in reSIProcate. Deployments using TCP-only transport are not affected.
  • ·Affected versions are reSIProcate through 1.10.2. The fix is in commit 2cb291191c93c7c4e371e22cb89805a5b31d6608; 3CX Phone System 15.5.13470.6+ and Debian package 1:1.9.7-5+deb8u1 include the fix.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.