Hello,

I want to highlight that the last stable versions (for the two maintained series: 5.0 and 5.1) include fixes for an security issues that can crash a running instance of Kamailio, therefore it is strongly recommended to upgrade.

Details:

There exists a security vulnerability in the Kamailio SIP server related to "To" header processing. A specially crafted SIP message with double "To" header and an empty "To" tag causes a segmentation fault and crashes Kamailio. The reason is missing input validation in the "build_res_buf_from_sip_req" core function.

If an attacker sends many of this messages this would lead to a Denial of Service of the attacked infrastructure. This is especially critical as no authentication for the remote source is needed.

You find all the details including a proof of concept code in the published security announcement in my blog:

https://skalatan.de/blog/advisory-hw-2018-05

A CVE report for this issue is going to be created as well in the near future.

The issues were found some months ago and were fixed quickly. The code related to the reported issues is rather old and there are no known incidents of exploiting these issues so far. However, once the CVE report becomes public, there could be a higher risk of exploitation.

Please address any detailed technical questions related to this to the developer list at sr-dev@lists.kamailio.org .

In case of confidential remarks related to this or other security issues, please address them to the Kamailio Management.

Best regards,

Henning Westerholt