<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 22 Sep 2020, at 16:19, Gerry | Rigatta <<a href="mailto:gjacobsen@rigatta.com" class="">gjacobsen@rigatta.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Olle,<div class=""><br class=""></div><div class="">the page you are pointing to does not contain any Kamailio security advisories. What is needed is a timeline of advisories so one can and understand whether one's system is vulnerable, and what the vulnerability is - like this:</div><div class=""><div class="" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div class=""><div class=""><div class="" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div class=""><div class=""><div class=""><a href="https://www.asterisk.org/downloads/security-advisories/" class="">https://www.asterisk.org/downloads/security-advisories/</a></div></div></div></div></div></div></div></div></div></div></blockquote><div><br class=""></div>When we publish advisories, there will be a timeline of them.<br class=""><blockquote type="cite" class=""><div class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class=""><br class=""></div><div class="">As mentioned it would be also helpful to label github issues so one can filter for security issues.</div></div></div></blockquote>As many have stated here, we are looking for volonteers to help. Most developers are aiming to fix issues quickly as they pop up.</div><div><br class=""></div><div>As I stated earlier, this requires a larger discussion between developers. Thanks for your input!</div><div><br class=""></div><div>Trust me, what you add here is something we have discussed many times before, not just now and we are very well aware of it.</div><div><br class=""></div><div>/O</div><div><blockquote type="cite" class=""><div class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class=""><br class=""></div><div class="">Best Gerry</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><div class=""><blockquote type="cite" class=""><div class="">On 22 Sep 2020, at 15:26, Olle E. Johansson <<a href="mailto:oej@edvina.net" class="">oej@edvina.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div class=""><br class=""><blockquote type="cite" class=""><div class="">On 22 Sep 2020, at 13:30, Gerry | Rigatta <<a href="mailto:gjacobsen@rigatta.com" class="">gjacobsen@rigatta.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Daniel,<div class=""><div class=""><br class=""></div><div class="">your frustration is understandable and I hope you excuse a further comment. What is missing, IMVHO, is a central point of reference for all Kamailio security issues. Googling for “Kamailio security” reveals <a href="https://www.cvedetails.com/vulnerability-list/vendor_id-15820/Kamailio.html" class="">https://www.cvedetails.com/vulnerability-list/vendor_id-15820/Kamailio.html</a> as the most comprehensive source. However it lacks this latest header bug.</div><div class=""><div class=""><br class=""></div></div></div></div></div></blockquote><a href="https://www.kamailio.org/wiki/security/policy" class="">https://www.kamailio.org/wiki/security/policy</a></div><div class=""><br class=""></div><div class="">Maybe we should make it easier to find from the home page as you did not find it.</div><div class=""><br class=""></div><div class="">/O<br class=""><blockquote type="cite" class=""><div class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class=""><div class=""><div class="">My suggestion would be to create a special “Security Advisories” page on the kamailio website which points to security news, so that Google indexes that page. As for example Asterisk has <a href="https://www.asterisk.org/downloads/security-advisories/" class="">https://www.asterisk.org/downloads/security-advisories/</a></div><div class=""><div class=""><br class=""></div><div class="">And create on github an extra “security” label so one can filter for that. </div><div class=""><a href="https://github.com/kamailio/kamailio/labels" class="">https://github.com/kamailio/kamailio/labels</a></div><div class="">And then point from the above mentioned “Security Advisories” page to a filtered github view.</div><div class=""><br class=""></div><div class="">Thanks for your great work on Kamailio. Its highly appreciated!</div><div class=""><br class=""></div><div class="">Best Gerry</div></div></div></div><div class=""><br class=""></div><div class=""><div class=""><br class=""><blockquote type="cite" class=""><div class="">On 22 Sep 2020, at 12:55, Daniel-Constantin Mierla <<a href="mailto:miconda@gmail.com" class="">miconda@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><p style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 15px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">At least in my case you push out some inaccurate information. I never said my "deployments were not affected since non-standard headers were not used".</p><p style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 15px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">Iirc, I only said that none of my deployments were affected by this issue -- respectively quoting from my message: "None of my deployments were affected." from:<a class="moz-txt-link-freetext" href="https://lists.kamailio.org/pipermail/sr-users/2020-September/110315.html">https://lists.kamailio.org/pipermail/sr-users/2020-September/110315.html</a><span class="Apple-converted-space"> </span>. If I am mistaken and you found another remark from me, just point to my message from where you got that.</p><p style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 15px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">So, for further clarification: either non standard headers were used for non-security related features (e.g., used for troubleshooting purposes) or the issue didn't affect the deployments from different perspective (e.g., traffic was checked to be from a trusted source).</p><p style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 15px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">And remember that the issue was not with remove_hf() function itself, like it is somehow propagated by blog posts, but it was in the parser, so use of custom headers between two kamailio was not affected if an edge proxy did something like:</p><p style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 15px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">remove_hf("X-H");</p><p style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 15px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">append_hf("X-H: abc\r\n");</p><p style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 15px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">And then, if next hop Kamailio was using $hdr(X-H), it will get "abc" (value added by previous Kamailio), not what a bad actor would add as "X-H : badvalue\r\n" sip header.</p><p style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 15px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">Then you listed two commits you consider there should have been security advisories about. Have you analysed the code and found cases where security was affected, or is just your opinion in based on the commit message and code patch?</p><p style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 15px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">First, I would love that one or many spend time to dissect commits and see their security implication. I am more that happy when someone does it and let's everyone be aware of, also to write and publish appropriate advisory.</p><p style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 15px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">Otherwise, for those two specific commits you listed, the one from Federico is a memory leak, I haven't spent time on going deeper to find the specific cases, From header should be parsed in SIP requests. My commit was done based on a static code analyzer and again I was not spending time to see what implications are.</p><p style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 15px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">In general, in the code we work a lot with str structure (non-zero terminated char* and len), many of the "safety" commits done lately were to silent static code analysers, not meaning that it was a real issue found behind. Some can be, and here we appreciate the time and effort of people like you to dissect them and make appropriate advisories.</p><p style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 15px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">I would like people do verify what they write about what specific people (of course, specially for my person) said before pushing out, and eventually validate a commit to fix something has security impact, instead of just personal guessing, if the intention is to help the project and not to create more confusion or other reactions for what so ever reasons.</p><p style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 15px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">This should be my last comment on the thread, I do not want to spend any more time in clarifying what people think I said or I did.</p><p style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 15px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">Cheers,<br class="">Daniel<br class=""></p><div class="moz-cite-prefix" style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 15px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">On 22.09.20 11:31, Sandro Gauci wrote:<br class=""></div><blockquote type="cite" cite="mid:39726c23-56f3-4069-b3b0-addd6118f36a@www.fastmail.com" style="font-family: ArialMT; font-size: 15px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><div class="">I know I am waking up an old debate by replying to this thread. Deeply sorry :-)<br class=""></div><div class=""><br class=""></div><div class="">Finally got around to writing up a blog post about this very thread where I (think) I spared absolutely no one, not even myself.<span class="Apple-converted-space"> </span><br class=""></div><div class=""><br class=""></div><div class="">My post is called "The great Kamailio security debate and some misconceptions debunked" and can be read here:<br class=""></div><div class=""><br class=""></div><div class=""><a href="https://www.rtcsec.com/2020/09/02-kamailio-security-debate-and-misconceptions/" moz-do-not-send="true" class="">https://www.rtcsec.com/2020/09/02-kamailio-security-debate-and-misconceptions/</a><br class=""></div><div class=""><br class=""></div><div class="">The ToC:<br class=""></div><ol class=""><li class="">Introduction<br class=""></li><li class="">A bit of background before diving in<br class=""></li><li class="">Claim: this issue does not affect many organisations<br class=""></li><li class="">Claim: custom headers are only known to internal users<br class=""></li><li class="">Claim: if it’s an 18 year old bug, it can’t have been high risk<br class=""></li><li class="">Claim: this should have been found if people were doing proper testing<br class=""></li><li class="">Claim: infrequent advisories = project is not serious about security<br class=""></li><li class="">Claim: limited number of advisories = project is more secure<br class=""></li><li class="">Claim: if you’re serious about security, monitor the mailing lists<br class=""></li><li class="">Claim: security experts should decide what is a security vulnerability<br class=""></li><li class="">Discussion: when should the project publish an advisory?<br class=""></li><li class="">Discussion: educational security role<br class=""></li><li class="">Moving forward<br class=""></li></ol><div class="">Hope that it is at least interesting and perhaps even constructive!<br class=""></div><div class=""><br class=""></div><div class="">Best wishes,<br class=""></div><div id="sig45665722" class=""><div class=""><br class=""></div><div class="">--<br class=""></div><div class=""> <br class=""></div><div class=""> Sandro Gauci, CEO at Enable Security GmbH<br class=""></div><div class=""><br class=""></div><div class=""> Register of Companies: AG Charlottenburg HRB 173016 B<br class=""></div><div class=""> Company HQ: Pappelallee 78/79, 10437 Berlin, Germany<br class=""></div><div class=""> PGP/Encrypted comms: <span class="Apple-converted-space"> </span><a class="moz-txt-link-freetext" href="https://keybase.io/sandrogauci">https://keybase.io/sandrogauci</a><br class=""></div><div class=""> Our blog: <span class="Apple-converted-space"> </span><a class="moz-txt-link-freetext" href="https://www.rtcsec.com/">https://www.rtcsec.com</a><br class=""></div><div class=""> Other points of contact: <span class="Apple-converted-space"> </span><a class="moz-txt-link-freetext" href="https://enablesecurity.com/#contact-us">https://enablesecurity.com/#contact-us</a><br class=""></div><div class=""><br class=""></div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">On Thu, 3 Sep 2020, at 10:34 AM, Olle E. Johansson wrote:<br class=""></div><blockquote type="cite" id="qt" style="overflow-wrap: break-word;" class=""><div class="">Well, you have defined one definitive line between being stupid and following some current practise :-)<br class=""></div><div class="qt-"><br class=""></div><div class="qt-">I like to think we as a project have an educational role as well. In this case explaining the bug we had and what it can cause.<br class=""></div><div class="qt-">We should definitely add a warning along the lines you write too - relying on headers alone is bad and not best current practise.<br class=""></div><div class="qt-"><br class=""></div><div class="qt-"><div class="">/O<br class=""></div><div class=""><div class=""><br class=""></div><blockquote type="cite" class="qt-"><div class="qt-">On 3 Sep 2020, at 10:14, davy van de moere <<a href="mailto:davy.van.de.moere@gmail.com" class="qt-" moz-do-not-send="true">davy.van.de.moere@gmail.com</a>> wrote:<br class=""></div><div class=""><br class=""></div><div class="qt-"><div dir="ltr" class="qt-"><div class="">After 20 years in voip, my 2 cents on this, if you succeed in creating a voip system where the security of the whole relies on the ability to remove (or only keep specific) custom sip headers, you will wake up one morning realizing a bunch of people in Palestine made a gazillion calls over your system to expensive destinations, bringing you to or over the edge of bankruptcy.<br class=""></div><div class="qt-"><br class=""></div><div class="qt-">Security should be multilayered, one header sneaking through should not give any big problems. <br class=""></div><div class="qt-"><br class=""></div><div class="qt-"><div class="qt-">From a security point of view, this could be called a 'normal' security risk, I think. It's a bit more than low as you can do more than just get some info, but it's not high, as you would need to have many other factors going wrong to get to a successful exploit. <br class=""></div><div class="qt-"><br class=""></div><div class="qt-"><br class=""></div><div class="qt-"><br class=""></div></div></div><div class=""><br class=""></div><div class="qt-gmail_quote"><div dir="ltr" class="qt-gmail_attr">Op do 3 sep. 2020 om 09:18 schreef Olle E. Johansson <<a href="mailto:oej@edvina.net" class="qt-" moz-do-not-send="true">oej@edvina.net</a>>:<br class=""></div><blockquote class="qt-gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><div class="qt-" style="overflow-wrap: break-word;"><div class="">One thought - we may have to separate security vulnerability reporting from security advisory documents. I think in some cases, where a common use of a product can lead to issues (but it is not clearly a bug that cause crashes in our code) we may have to send out an advisory and publish it in the same way. The problem with that is where the border is between just doing stupid things like taking SQL statements from SIP headers and issues like this that are harder to catch.<br class=""></div><div class="qt-"><br class=""></div><div class="qt-">We had a long and hard discussion about this in the Asterisk project many years ago - a very common dialplan construct (that was documented in many places) was indeed very dangerous. It wasn’t any code in asterisk that caused the issue, just a common dialplan construct that existed in many, many production systems. In the end, if I remember correctly, the project issued an advisory and added a README about it.<br class=""></div><div class="qt-"><br class=""></div><div class="qt-">Maybe that’s a way forward.<br class=""></div><div class="qt-"><br class=""></div><div class="qt-"><div class="">/O<br class=""></div><div class="qt-"><div class=""><br class=""></div><blockquote type="cite" class="qt-"><div class="qt-">On 2 Sep 2020, at 21:25, Henning Westerholt <<a href="mailto:hw@skalatan.de" target="_blank" class="qt-" moz-do-not-send="true">hw@skalatan.de</a>> wrote:<br class=""></div><div class=""><br class=""></div><div class="qt-"><div class="qt-" style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration-line: none;"><div class="qt-" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;"><span class="qt-">Hello Maxim,</span><br class=""></div><div class="qt-" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;"><span class="qt-"> </span><br class=""></div><div class="qt-" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;"><span class="qt-" lang="EN-GB">have a look to the first sentence:</span><br class=""></div><div class="qt-" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;"><span class="qt-" lang="EN-GB"> </span><br class=""></div><div class="qt-" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;"><span class="qt-" lang="EN-GB">“A security vulnerability is (for example) when a user of Kamailio can cause Kamailio to crash or lock up by sending messages to the server process.”</span><br class=""></div><div class="qt-" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;"><span class="qt-" lang="EN-GB"> </span><br class=""></div><div class="qt-" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;"><span class="qt-" lang="EN-GB">So there is some limitation regarding vulnerability criticality defined in there. But of course (as I already mentioned), it might be improved to e.g. use CVSS scoring instead.</span><span class="qt-" lang="EN-GB"></span><br class=""></div><div class="qt-" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;"><span class="qt-" lang="EN-GB"> </span><br class=""></div><div class="qt-" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;"><span class="qt-" lang="EN-GB">Cheers,</span><br class=""></div><div class="qt-" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;"><span class="qt-" lang="EN-GB"> </span><br class=""></div><div class="qt-" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;"><span class="qt-" lang="EN-GB">Henning</span><br class=""></div><div class="qt-" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;"><span class="qt-" lang="EN-GB"> </span><br class=""></div><div class="qt-" style="border-style: solid none none; border-top-width: 1pt; border-top-color: rgb(225, 225, 225); padding: 3pt 0cm 0cm;"><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;"><b class="qt-"><span class="qt-" lang="EN-GB">From:</span></b><span class="qt-" lang="EN-GB"><span class="qt-"> </span>Maxim Sobolev <<a href="mailto:sobomax@sippysoft.com" target="_blank" class="qt-" moz-do-not-send="true" style="color: blue; text-decoration-line: underline;">sobomax@sippysoft.com</a>><span class="qt-"> </span><br class="qt-"><b class="qt-">Sent:</b><span class="qt-"> </span>Wednesday, September 2, 2020 9:15 PM<br class="qt-"><b class="qt-">To:</b><span class="qt-"> </span>Henning Westerholt <<a href="mailto:hw@skalatan.de" target="_blank" class="qt-" moz-do-not-send="true" style="color: blue; text-decoration-line: underline;">hw@skalatan.de</a>><br class="qt-"><b class="qt-">Cc:</b><span class="qt-"> </span>Daniel-Constantin Mierla <<a href="mailto:miconda@gmail.com" target="_blank" class="qt-" moz-do-not-send="true" style="color: blue; text-decoration-line: underline;">miconda@gmail.com</a>>;<span class="qt-"> </span><a href="mailto:yufei.tao@gmail.com" target="_blank" class="qt-" moz-do-not-send="true" style="color: blue; text-decoration-line: underline;">yufei.tao@gmail.com</a>; Olle E. Johansson <<a href="mailto:oej@edvina.net" target="_blank" class="qt-" moz-do-not-send="true" style="color: blue; text-decoration-line: underline;">oej@edvina.net</a>>; Gerry | Rigatta <<a href="mailto:gjacobsen@rigatta.com" target="_blank" class="qt-" moz-do-not-send="true" style="color: blue; text-decoration-line: underline;">gjacobsen@rigatta.com</a>>; Kamailio (SER) - Users Mailing List <<a href="mailto:sr-users@lists.kamailio.org" target="_blank" class="qt-" moz-do-not-send="true" style="color: blue; text-decoration-line: underline;">sr-users@lists.kamailio.org</a>>;<span class="qt-"> </span><a href="mailto:jbrower@signalogic.com" target="_blank" class="qt-" moz-do-not-send="true" style="color: blue; text-decoration-line: underline;">jbrower@signalogic.com</a><br class="qt-"><b class="qt-">Subject:</b><span class="qt-"> </span>Re: [SR-Users] Kamailio vulnerable to header smuggling possible due to bypass of remove_hf</span></div></div><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span class="qt-" lang="EN-GB"> </span><br class=""></div><div class="qt-"><div class="qt-"><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;">On Wed, Sep 2, 2020 at 11:30 AM Henning Westerholt <<a href="mailto:hw@skalatan.de" target="_blank" class="qt-" moz-do-not-send="true" style="color: blue; text-decoration-line: underline;">hw@skalatan.de</a>> wrote:<br class=""></div></div><div class="qt-"><blockquote class="qt-" style="border-style: none none none solid; border-left-width: 1pt; border-left-color: rgb(204, 204, 204); padding: 0cm 0cm 0cm 6pt; margin-left: 4.8pt; margin-right: 0cm;"><div class="qt-"><div class="qt-"><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span class="qt-" lang="EN-GB">Hello Maxim,</span><br class=""></div><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span class="qt-" lang="EN-GB"> </span><br class=""></div><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span class="qt-" lang="EN-GB">thank you for the clarification, appreciated.</span><br class=""></div></div></div></blockquote><div class="qt-"><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;"> <br class=""></div></div><div class="qt-"><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;">No worries, hope to have a civilized discussion.<br class=""></div></div><div class="qt-"><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;"> <br class=""></div></div><blockquote class="qt-" style="border-style: none none none solid; border-left-width: 1pt; border-left-color: rgb(204, 204, 204); padding: 0cm 0cm 0cm 6pt; margin-left: 4.8pt; margin-right: 0cm;"><div class="qt-"><div class="qt-"><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span class="qt-" lang="EN-GB">Just one clarification, my comment regarding the advisory from 2018 was not meant as advertisement etc..</span><br class=""></div></div></div></blockquote><div class="qt-"><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;"> <br class=""></div></div><div class="qt-"><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;">Point taken, I dramatized of course to underline my point. <br class=""></div></div><div class="qt-"><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;"> <br class=""></div></div><blockquote class="qt-" style="border-style: none none none solid; border-left-width: 1pt; border-left-color: rgb(204, 204, 204); padding: 0cm 0cm 0cm 6pt; margin-left: 4.8pt; margin-right: 0cm;"><div class="qt-"><div class="qt-"><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;">One suggestion to objectify the whole discussion, there exists a well-known and accepted metric for vulnerabilities: CVSS [1]<br class=""></div><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span class="qt-" lang="EN-GB">If I calculate the CVSS score for this issue, it results in a medium level with score 5.8. But this is of course again (at least somewhat) influenced from my point of view to this bug.</span><br class=""></div><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span class="qt-" lang="EN-GB"> </span><br class=""></div><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span class="qt-" lang="EN-GB">Some projects have a policy to only do a security announcement for vulnerabilities with score high and critical. For Kamailio this is not yet defined in a detailed way, due to the size of the project and other factors.</span><br class=""></div><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span class="qt-" lang="EN-GB"> </span><br class=""></div><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span class="qt-" lang="EN-GB">So, If people in this discussion (or other people on the list) are interested in improving the project security processes – this wiki page with the current process might be a good starting point:<a href="https://www.kamailio.org/wiki/security/policy" target="_blank" class="qt-" moz-do-not-send="true" style="color: blue; text-decoration-line: underline;">https://www.kamailio.org/wiki/security/policy</a></span><br class=""></div><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span class="qt-" lang="EN-GB"> </span><br class=""></div><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span class="qt-" lang="EN-GB">Please suggest your improvements to the existing process (preferable in a new discussion thread) on the sr-dev list. If you want to do it in private, feel free contact the management list.</span><br class=""></div></div></div></blockquote><div class="qt-"><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;"> <br class=""></div></div><div class="qt-"><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;">Well, first suggestion after having read it: to start actually following what's documented before any improvements are made. ;-) The policy says plain and simple (quote):<br class=""></div></div><div class="qt-"><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;"> <br class=""></div></div></div><blockquote class="qt-" style="margin-left: 30pt; margin-right: 0cm;"><div class="qt-"><div class="qt-"><h4 id="qt-gmail-m_-221075449414644861gmail-publishing_security_vulnerabilities" class="qt-" style="margin-right: 0cm; margin-left: 35.4pt; font-size: 12pt; font-family: Calibri, sans-serif; margin-bottom: 12pt;"><span class="qt-" style="color: rgb(51, 51, 51);"><span class="font" style="font-family: Arial, sans-serif;"><span class="size" style="font-size: 10.5pt;">Publishing security vulnerabilities</span></span></span><br class=""></h4></div></div></blockquote><blockquote class="qt-" style="margin-left: 30pt; margin-right: 0cm;"><div class="qt-"><div class="qt-"><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span class="qt-" style="color: rgb(51, 51, 51);"><span class="font" style="font-family: Arial, sans-serif;"><span class="size" style="font-size: 10.5pt;">Kamailio will publish security vulnerabilities, including an CVE ID, on the kamailio-business mailing list, sr-dev, sr-users as well as related lists.<span class="qt-"> </span></span></span></span><span class="qt-" style="color: red;"><span class="font" style="font-family: Arial, sans-serif;"><span class="size" style="font-size: 10.5pt;">The advisories will also be published on the<span class="qt-"> </span><a href="http://kamailio.org/" target="_blank" class="qt-" moz-do-not-send="true" style="color: blue; text-decoration-line: underline;">kamailio.org</a><span class="qt-"> </span>web site</span></span></span><span class="qt-" style="color: rgb(51, 51, 51);"><span class="font" style="font-family: Arial, sans-serif;"><span class="size" style="font-size: 10.5pt;">.</span></span></span> <br class=""></div></div></div><div class="qt-"><div class="qt-"><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;"> <br class=""></div></div></div><div class="qt-"><div class="qt-"><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span class="qt-" style="color: rgb(51, 51, 51);"><span class="font" style="font-family: Arial, sans-serif;"><span class="size" style="font-size: 10.5pt;">CVE entries should be created for vulnerabilities in the core and major modules, for rarely used modules this is not necessary. If there are several security issues together in one release, they should be announced together.</span></span></span> <br class=""></div></div></div></blockquote><div class="qt-"><div class="qt-"><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;"> <br class=""></div></div><div class="qt-"><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;">I might be missing something obvious, but there is no "if" or "maybe" or "it depends". Any module that has been 18 years with the project qualifies to be a "major module" to me... <br class=""></div></div><div class="qt-"><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;"> <br class=""></div></div><div class="qt-"><div class="qt-" style="margin: 0cm 0cm 0cm 35.4pt; font-size: 11pt; font-family: Calibri, sans-serif;">-Max<br class=""></div></div></div></div></div></div></blockquote></div><div class=""><br class=""></div></div></div><div class="">_______________________________________________<br class=""></div><div class="">Kamailio (SER) - Users Mailing List<br class=""></div><div class=""><a href="mailto:sr-users@lists.kamailio.org" target="_blank" class="qt-" moz-do-not-send="true">sr-users@lists.kamailio.org</a><br class=""></div><div class=""><a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank" class="qt-" moz-do-not-send="true">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br class=""></div></blockquote></div><div class="">_______________________________________________<br class=""></div><div class="">Kamailio (SER) - Users Mailing List<br class=""></div><div class=""><a href="mailto:sr-users@lists.kamailio.org" class="qt-" moz-do-not-send="true">sr-users@lists.kamailio.org</a><br class=""></div><div class=""><a class="moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br class=""></div></div></blockquote></div></div><div class="">_______________________________________________<br class=""></div><div class="">Kamailio (SER) - Users Mailing List<br class=""></div><div class=""><a href="mailto:sr-users@lists.kamailio.org" moz-do-not-send="true" class="">sr-users@lists.kamailio.org</a><br class=""></div><div class=""><a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" moz-do-not-send="true" class="">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br class=""></div><div class=""><br class=""></div></blockquote><div class=""><br class=""></div><br class=""><fieldset class="mimeAttachmentHeader"></fieldset><pre class="moz-quote-pre" wrap="">_______________________________________________
Kamailio (SER) - Users Mailing List
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a>
<a class="moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre></blockquote><pre class="moz-signature" cols="72" style="caret-color: rgb(0, 0, 0); font-size: 15px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">--
Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com/">www.asipto.com</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Funding: <a class="moz-txt-link-freetext" href="https://www.paypal.me/dcmierla">https://www.paypal.me/dcmierla</a></pre><span style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 15px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">_______________________________________________</span><br style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 15px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 15px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">Kamailio (SER) - Users Mailing List</span><br style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 15px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><a href="mailto:sr-users@lists.kamailio.org" style="font-family: ArialMT; font-size: 15px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">sr-users@lists.kamailio.org</a><br style="caret-color: rgb(0, 0, 0); font-family: ArialMT; font-size: 15px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" style="font-family: ArialMT; font-size: 15px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a></div></blockquote></div><br class=""></div></div>_______________________________________________<br class="">Kamailio (SER) - Users Mailing List<br class=""><a href="mailto:sr-users@lists.kamailio.org" class="">sr-users@lists.kamailio.org</a><br class=""><a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" class="">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br class=""></div></blockquote></div><br class=""></div>_______________________________________________<br class="">Kamailio (SER) - Users Mailing List<br class=""><a href="mailto:sr-users@lists.kamailio.org" class="">sr-users@lists.kamailio.org</a><br class=""><a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" class="">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br class=""></div></blockquote></div><br class=""></div></div>_______________________________________________<br class="">Kamailio (SER) - Users Mailing List<br class=""><a href="mailto:sr-users@lists.kamailio.org" class="">sr-users@lists.kamailio.org</a><br class="">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users<br class=""></div></blockquote></div><br class=""></body></html>