CVE-2023-22741
published 2023-01-19CVE-2023-22741: Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification. In affected versions Sofia-SIP **lacks both message length…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.38%
81.8th percentile
Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification. In affected versions Sofia-SIP **lacks both message length and attributes length checks** when it handles STUN packets, leading to controllable heap-over-flow. For example, in stun_parse_attribute(), after we get the attribute's type and length value, the length will be used directly to copy from the heap, regardless of the message's left size. Since network users control the overflowed length, and the data is written to heap chunks later, attackers may achieve remote code execution by heap grooming or other exploitation methods. The bug was introduced 16 years ago in sofia-sip 1.12.4 (plus some patches through 12/21/2006) to in tree libs with git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@3774 d0543943-73ff-0310-b7d9-9358b9ac24b2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | sofia-sip | < sofia-sip 1.12.11+20110422.1+1e14eea~dfsg-4 (bookworm) | sofia-sip 1.12.11+20110422.1+1e14eea~dfsg-4 (bookworm) |
| freeswitch | sofia-sip | < 1.13.11 | 1.13.11 |
| freeswitch | sofia-sip | >= 0 < 1.12.11+20110422.1-2.1+deb11u1 | 1.12.11+20110422.1-2.1+deb11u1 |
| freeswitch | sofia-sip | >= 0 < 1.12.11+20110422.1+1e14eea~dfsg-4 | 1.12.11+20110422.1+1e14eea~dfsg-4 |
| freeswitch | sofia-sip | >= 0 < 1.12.11+20110422.1+1e14eea~dfsg-4 | 1.12.11+20110422.1+1e14eea~dfsg-4 |
| freeswitch | sofia-sip | >= 0 < 1.12.11+20110422.1+1e14eea~dfsg-4 | 1.12.11+20110422.1+1e14eea~dfsg-4 |
| freeswitch | sofia-sip | >= 0 < 1.12.11+20110422.1-2.1+deb10u3build0.18.04.1 | 1.12.11+20110422.1-2.1+deb10u3build0.18.04.1 |
| freeswitch | sofia-sip | >= 0 < 1.12.11+20110422.1-2.1+deb10u3ubuntu0.20.04.1 | 1.12.11+20110422.1-2.1+deb10u3ubuntu0.20.04.1 |
| freeswitch | sofia-sip | >= 0 < 1.12.11+20110422.1-2.1+deb10u3ubuntu0.22.04.1 | 1.12.11+20110422.1-2.1+deb10u3ubuntu0.22.04.1 |
| freeswitch | sofia-sip | >= 0 < 1.12.11+20110422.1-2.1+deb10u3ubuntu0.16.04.1~esm1 | 1.12.11+20110422.1-2.1+deb10u3ubuntu0.16.04.1~esm1 |
| signalwire | sofia-sip | < 1.13.11 | 1.13.11 |
Detection & IOCsextracted from sources · hover to see the quote
- →Focus detection on the stun_parse_attribute() function — the vulnerable code path where attacker-controlled length is used directly to copy from the heap without bounds checking ↗
- →Heap grooming or similar heap exploitation techniques may follow the overflow; look for anomalous heap activity or crashes in SIP/STUN-handling processes after receiving UDP packets ↗
- →Exploitation vector is remote via UDP (STUN is typically UDP); monitor SIP/STUN UDP ports for packets with attribute length fields exceeding the remaining message buffer size ↗
- ·The vulnerable code was introduced in sofia-sip 1.12.4 and persisted for ~16 years; any deployment running sofia-sip versions prior to the fixed releases remains exposed ↗
- ·There are no known workarounds; the only mitigation is upgrading to a fixed version of Sofia-SIP ↗
- ·Debian fixed versions vary by release: bookworm/forky/sid/trixie fixed in 1.12.11+20110422.1+1e14eea~dfsg-4; bullseye fixed in 1.12.11+20110422.1-2.1+deb11u1 ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Sofia-SIP vulnerabilities
vendor_ubuntu·2023-03-07·CVSS 7.5
CVE-2022-47516 [HIGH] Sofia-SIP vulnerabilities
Title: Sofia-SIP vulnerabilities
Summary: Several security issues were fixed in Sofia-SIP.
It was discovered that Sofia-SIP incorrectly handled specially
crafted SDP packets. A remote attacker could use this issue
to cause applications using Sofia-SIP to crash, leading to
a denial of service, or possibly execute arbitrary code.
This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2022-31001, CVE-2022-31002, CVE-2022-31003)
It was discovered that Sofia-SIP incorrectly handled specially
crafted UDP packets. A remote attacker could use this issue
to cause applications using Sofia-SIP to crash, leading to
a denial of service. (CVE-2022-47516)
Qiuhao Li discovered that Sofia-SIP incorrectly handled specially
crafted STUN packets. A remote
Debian
CVE-2023-22741: sofia-sip - Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3...
vendor_debian·2023·CVSS 9.8
CVE-2023-22741 [CRITICAL] CVE-2023-22741: sofia-sip - Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3...
Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification. In affected versions Sofia-SIP **lacks both message length and attributes length checks** when it handles STUN packets, leading to controllable heap-over-flow. For example, in stun_parse_attribute(), after we get the attribute's type and length value, the length will be used directly to copy from the heap, regardless of the message's left size. Since network users control the overflowed length, and the data is written to heap chunks later, attackers may achieve remote code execution by heap grooming or other exploitation methods. The bug was introduced 16 years ago in sofia-sip 1.12.4 (plus some patches through 12/21/2006) to in tree libs with git-svn-id: http://svn.freeswitch.org/svn/freeswi
OSV
sofia-sip vulnerabilities
osv·2023-03-07·CVSS 7.5
CVE-2022-31001 [HIGH] sofia-sip vulnerabilities
sofia-sip vulnerabilities
It was discovered that Sofia-SIP incorrectly handled specially
crafted SDP packets. A remote attacker could use this issue
to cause applications using Sofia-SIP to crash, leading to
a denial of service, or possibly execute arbitrary code.
This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2022-31001, CVE-2022-31002, CVE-2022-31003)
It was discovered that Sofia-SIP incorrectly handled specially
crafted UDP packets. A remote attacker could use this issue
to cause applications using Sofia-SIP to crash, leading to
a denial of service. (CVE-2022-47516)
Qiuhao Li discovered that Sofia-SIP incorrectly handled specially
crafted STUN packets. A remote attacker could use this issue
to cause applications using Sofia-SI
OSV
CVE-2023-22741: Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification
osv·2023-01-19·CVSS 9.8
CVE-2023-22741 [CRITICAL] CVE-2023-22741: Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification
Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification. In affected versions Sofia-SIP **lacks both message length and attributes length checks** when it handles STUN packets, leading to controllable heap-over-flow. For example, in stun_parse_attribute(), after we get the attribute's type and length value, the length will be used directly to copy from the heap, regardless of the message's left size. Since network users control the overflowed length, and the data is written to heap chunks later, attackers may achieve remote code execution by heap grooming or other exploitation methods. The bug was introduced 16 years ago in sofia-sip 1.12.4 (plus some patches through 12/21/2006) to in tree libs with git-svn-id: http://svn.freeswitch.org/svn/freeswi
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/freeswitch/sofia-sip/commit/da53e4fbcb138b080a75576dd49c1fff2ada2764https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54https://www.debian.org/security/2023/dsa-5410https://github.com/freeswitch/sofia-sip/commit/da53e4fbcb138b080a75576dd49c1fff2ada2764https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54https://www.debian.org/security/2023/dsa-5410
2023-01-19
Published