<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Well, you have defined one definitive line between being stupid and following some current practise :-)<div class=""><br class=""></div><div class="">I like to think we as a project have an educational role as well. In this case explaining the bug we had and what it can cause.</div><div class="">We should definitely add a warning along the lines you write too - relying on headers alone is bad and not best current practise.</div><div class=""><br class=""></div><div class="">/O<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 3 Sep 2020, at 10:14, davy van de moere <<a href="mailto:davy.van.de.moere@gmail.com" class="">davy.van.de.moere@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">After 20 years in voip, my 2 cents on this, if you succeed in creating a voip system where the security of the whole relies on the ability to remove (or only keep specific) custom sip headers, you will wake up one morning realizing a bunch of people in Palestine made a gazillion calls over your system to expensive destinations, bringing you to or over the edge of bankruptcy.<div class=""><br class=""></div><div class="">Security should be multilayered, one header sneaking through should not give any big problems. </div><div class=""><br class=""></div><div class=""><div class="">From a security point of view, this could be called a 'normal' security risk, I think. It's a bit more than low as you can do more than just get some info, but it's not high, as you would need to have many other factors going wrong to get to a successful exploit. </div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div></div></div><br class=""><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Op do 3 sep. 2020 om 09:18 schreef Olle E. Johansson <<a href="mailto:oej@edvina.net" class="">oej@edvina.net</a>>:<br class=""></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="overflow-wrap: break-word;" class="">One thought - we may have to separate security vulnerability reporting from security advisory documents. I think in some cases, where a common use of a product can lead to issues (but it is not clearly a bug that cause crashes in our code) we may have to send out an advisory and publish it in the same way. The problem with that is where the border is between just doing stupid things like taking SQL statements from SIP headers and issues like this that are harder to catch.<div class=""><br class=""></div><div class="">We had a long and hard discussion about this in the Asterisk project many years ago - a very common dialplan construct (that was documented in many places) was indeed very dangerous. It wasn’t any code in asterisk that caused the issue, just a common dialplan construct that existed in many, many production systems. In the end, if I remember correctly, the project issued an advisory and added a README about it.</div><div class=""><br class=""></div><div class="">Maybe that’s a way forward.</div><div class=""><br class=""></div><div class="">/O<br class=""><div class=""><br class=""><blockquote type="cite" class=""><div class="">On 2 Sep 2020, at 21:25, Henning Westerholt <<a href="mailto:hw@skalatan.de" target="_blank" class="">hw@skalatan.de</a>> wrote:</div><br class=""><div class=""><div style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none" class=""><div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif" class=""><span class="">Hello Maxim,<u class=""></u><u class=""></u></span></div><div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif" class=""><span class=""><u class=""></u> <u class=""></u></span></div><div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class="">have a look to the first sentence:<u class=""></u><u class=""></u></span></div><div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class=""><u class=""></u> <u class=""></u></span></div><div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class="">“A security vulnerability is (for example) when a user of Kamailio can cause Kamailio to crash or lock up by sending messages to the server process.”<u class=""></u><u class=""></u></span></div><div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class=""><u class=""></u> <u class=""></u></span></div><div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class="">So there is some limitation regarding vulnerability criticality defined in there. But of course (as I already mentioned), it might be improved to e.g. use CVSS scoring instead.</span><span lang="EN-GB" class=""><u class=""></u><u class=""></u></span></div><div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class=""><u class=""></u> <u class=""></u></span></div><div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class="">Cheers,<u class=""></u><u class=""></u></span></div><div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class=""><u class=""></u> <u class=""></u></span></div><div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class="">Henning<u class=""></u><u class=""></u></span></div><div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class=""><u class=""></u> <u class=""></u></span></div><div style="border-style:solid none none;border-top-width:1pt;border-top-color:rgb(225,225,225);padding:3pt 0cm 0cm" class=""><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><b class=""><span lang="EN-GB" class="">From:</span></b><span lang="EN-GB" class=""><span class=""> </span>Maxim Sobolev <<a href="mailto:sobomax@sippysoft.com" style="color:blue;text-decoration:underline" target="_blank" class="">sobomax@sippysoft.com</a>><span class=""> </span><br class=""><b class="">Sent:</b><span class=""> </span>Wednesday, September 2, 2020 9:15 PM<br class=""><b class="">To:</b><span class=""> </span>Henning Westerholt <<a href="mailto:hw@skalatan.de" style="color:blue;text-decoration:underline" target="_blank" class="">hw@skalatan.de</a>><br class=""><b class="">Cc:</b><span class=""> </span>Daniel-Constantin Mierla <<a href="mailto:miconda@gmail.com" style="color:blue;text-decoration:underline" target="_blank" class="">miconda@gmail.com</a>>;<span class=""> </span><a href="mailto:yufei.tao@gmail.com" style="color:blue;text-decoration:underline" target="_blank" class="">yufei.tao@gmail.com</a>; Olle E. Johansson <<a href="mailto:oej@edvina.net" style="color:blue;text-decoration:underline" target="_blank" class="">oej@edvina.net</a>>; Gerry | Rigatta <<a href="mailto:gjacobsen@rigatta.com" style="color:blue;text-decoration:underline" target="_blank" class="">gjacobsen@rigatta.com</a>>; Kamailio (SER) - Users Mailing List <<a href="mailto:sr-users@lists.kamailio.org" style="color:blue;text-decoration:underline" target="_blank" class="">sr-users@lists.kamailio.org</a>>;<span class=""> </span><a href="mailto:jbrower@signalogic.com" style="color:blue;text-decoration:underline" target="_blank" class="">jbrower@signalogic.com</a><br class=""><b class="">Subject:</b><span class=""> </span>Re: [SR-Users] Kamailio vulnerable to header smuggling possible due to bypass of remove_hf<u class=""></u><u class=""></u></span></div></div><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class=""><u class=""></u> <u class=""></u></span></div><div class=""><div class=""><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class="">On Wed, Sep 2, 2020 at 11:30 AM Henning Westerholt <<a href="mailto:hw@skalatan.de" style="color:blue;text-decoration:underline" target="_blank" class="">hw@skalatan.de</a>> wrote:<u class=""></u><u class=""></u></div></div><div class=""><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm" class=""><div class=""><div class=""><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class="">Hello Maxim,</span><u class=""></u><u class=""></u></div><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class=""> </span><u class=""></u><u class=""></u></div><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class="">thank you for the clarification, appreciated.</span><u class=""></u><u class=""></u></div></div></div></blockquote><div class=""><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></div></div><div class=""><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class="">No worries, hope to have a civilized discussion.<u class=""></u><u class=""></u></div></div><div class=""><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""> <u class=""></u><u class=""></u></div></div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm" class=""><div class=""><div class=""><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class="">Just one clarification, my comment regarding the advisory from 2018 was not meant as advertisement etc..</span><u class=""></u><u class=""></u></div></div></div></blockquote><div class=""><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></div></div><div class=""><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class="">Point taken, I dramatized of course to underline my point. <u class=""></u><u class=""></u></div></div><div class=""><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></div></div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm" class=""><div class=""><div class=""><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class="">One suggestion to objectify the whole discussion, there exists a well-known and accepted metric for vulnerabilities: CVSS [1]<u class=""></u><u class=""></u></div><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class="">If I calculate the CVSS score for this issue, it results in a medium level with score 5.8. But this is of course again (at least somewhat) influenced from my point of view to this bug.</span><u class=""></u><u class=""></u></div><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class=""> </span><u class=""></u><u class=""></u></div><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class="">Some projects have a policy to only do a security announcement for vulnerabilities with score high and critical. For Kamailio this is not yet defined in a detailed way, due to the size of the project and other factors.</span><u class=""></u><u class=""></u></div><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class=""> </span><u class=""></u><u class=""></u></div><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class="">So, If people in this discussion (or other people on the list) are interested in improving the project security processes – this wiki page with the current process might be a good starting point:<a href="https://www.kamailio.org/wiki/security/policy" style="color:blue;text-decoration:underline" target="_blank" class="">https://www.kamailio.org/wiki/security/policy</a></span><u class=""></u><u class=""></u></div><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class=""> </span><u class=""></u><u class=""></u></div><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span lang="EN-GB" class="">Please suggest your improvements to the existing process (preferable in a new discussion thread) on the sr-dev list. If you want to do it in private, feel free contact the management list.</span><u class=""></u><u class=""></u></div></div></div></blockquote><div class=""><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></div></div><div class=""><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class="">Well, first suggestion after having read it: to start actually following what's documented before any improvements are made. ;-) The policy says plain and simple (quote):<u class=""></u><u class=""></u></div></div><div class=""><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></div></div></div><blockquote style="margin-left:30pt;margin-right:0cm" class=""><div class=""><div class=""><h4 id="gmail-m_-221075449414644861gmail-publishing_security_vulnerabilities" style="margin-right:0cm;margin-left:35.4pt;font-size:12pt;font-family:Calibri,sans-serif;margin-bottom:12pt" class=""><span style="font-size:10.5pt;font-family:Arial,sans-serif;color:rgb(51,51,51)" class="">Publishing security vulnerabilities<u class=""></u><u class=""></u></span></h4></div></div></blockquote><blockquote style="margin-left:30pt;margin-right:0cm" class=""><div class=""><div class=""><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span style="font-size:10.5pt;font-family:Arial,sans-serif;color:rgb(51,51,51)" class="">Kamailio will publish security vulnerabilities, including an CVE ID, on the kamailio-business mailing list, sr-dev, sr-users as well as related lists.<span class=""> </span></span><span style="font-size:10.5pt;font-family:Arial,sans-serif;color:red" class="">The advisories will also be published on the<span class=""> </span><a href="http://kamailio.org/" style="color:blue;text-decoration:underline" target="_blank" class="">kamailio.org</a><span class=""> </span>web site</span><span style="font-size:10.5pt;font-family:Arial,sans-serif;color:rgb(51,51,51)" class="">.</span> <u class=""></u><u class=""></u></div></div></div><div class=""><div class=""><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""> <u class=""></u><u class=""></u></div></div></div><div class=""><div class=""><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><span style="font-size:10.5pt;font-family:Arial,sans-serif;color:rgb(51,51,51)" class="">CVE entries should be created for vulnerabilities in the core and major modules, for rarely used modules this is not necessary. If there are several security issues together in one release, they should be announced together.</span>  <u class=""></u><u class=""></u></div></div></div></blockquote><div class=""><div class=""><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""> <u class=""></u><u class=""></u></div></div><div class=""><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class="">I might be missing something obvious, but there is no "if" or "maybe" or "it depends". Any module that has been 18 years with the project qualifies to be a "major module" to me... <u class=""></u><u class=""></u></div></div><div class=""><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></div></div><div class=""><div style="margin:0cm 0cm 0cm 35.4pt;font-size:11pt;font-family:Calibri,sans-serif" class="">-Max</div></div></div></div></div></div></blockquote></div><br class=""></div></div>_______________________________________________<br class="">
Kamailio (SER) - Users Mailing List<br class="">
<a href="mailto:sr-users@lists.kamailio.org" target="_blank" class="">sr-users@lists.kamailio.org</a><br class="">
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank" class="">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br class="">
</blockquote></div>
_______________________________________________<br class="">Kamailio (SER) - Users Mailing List<br class=""><a href="mailto:sr-users@lists.kamailio.org" class="">sr-users@lists.kamailio.org</a><br class="">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users<br class=""></div></blockquote></div><br class=""></div></body></html>