Hi All,
OpenSipS just released an update to the audit that was done to OpenSips [1]. From my basic coding skills it seems like the changes that were done by the OpenSipS project were not implemented in Kamailio which means that Kamailio is potentially vulnerable? For example you can compare the changes made by OpenSips project here [2] and the Kamailio code here [3]
I am not active much on the list so please don't roast me if I am completely wrong here.
Regards,
Dovid
[1] http://lists.opensips.org/pipermail/users/2023-March/046849.html [2] https://github.com/OpenSIPS/opensips/commit/dd9141b6f67d7df4072f3430f628d4b7... [3] https://github.com/kamailio/kamailio/blob/master/src/core/parser/digest/para...
Hello,
thanks for sharing this. What was done in the security audit from them is something that was done from many people already done in the past for the Kamailio project. Several people presented about it at different conferences.
Many modules are also not similar due to the different ways both projects took (e.g., some modules are only present for one of the projects, Kamailio integrated many changes from the SER projects etc..).
That said, its probably still make sense to review the applicable parts and make sure that it does not affect the current code.
Cheers,
Henning
-- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.comhttps://gilawa.com/
From: Dovid Bender dovid@telecurve.com Sent: Mittwoch, 15. März 2023 20:20 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Subject: [SR-Users] Issues/Vulnerabilities in OpenSipS that may affect Kamailio
Hi All,
OpenSipS just released an update to the audit that was done to OpenSips [1]. From my basic coding skills it seems like the changes that were done by the OpenSipS project were not implemented in Kamailio which means that Kamailio is potentially vulnerable? For example you can compare the changes made by OpenSips project here [2] and the Kamailio code here [3]
I am not active much on the list so please don't roast me if I am completely wrong here.
Regards,
Dovid
[1] http://lists.opensips.org/pipermail/users/2023-March/046849.html [2] https://github.com/OpenSIPS/opensips/commit/dd9141b6f67d7df4072f3430f628d4b7... [3] https://github.com/kamailio/kamailio/blob/master/src/core/parser/digest/para...
Just to add to what Henning has said… the report is very interesting. I did spot check a few of the examples, as Sandro excellently documented how to reproduce.
The reproduction (such as what you posted with param_parser did not produce the same crash as reported. If you can reproduce something here, please let us know (issue would be best) so it can be handled and documented.
Thanks,
—fred
On Mar 15, 2023, at 3:56 PM, Henning Westerholt hw@gilawa.com wrote:
Hello, thanks for sharing this. What was done in the security audit from them is something that was done from many people already done in the past for the Kamailio project. Several people presented about it at different conferences. Many modules are also not similar due to the different ways both projects took (e.g., some modules are only present for one of the projects, Kamailio integrated many changes from the SER projects etc..). That said, its probably still make sense to review the applicable parts and make sure that it does not affect the current code. Cheers, Henning -- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.com From: Dovid Bender dovid@telecurve.com Sent: Mittwoch, 15. März 2023 20:20 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Subject: [SR-Users] Issues/Vulnerabilities in OpenSipS that may affect Kamailio Hi All, OpenSipS just released an update to the audit that was done to OpenSips [1]. From my basic coding skills it seems like the changes that were done by the OpenSipS project were not implemented in Kamailio which means that Kamailio is potentially vulnerable? For example you can compare the changes made by OpenSips project here [2] and the Kamailio code here [3] I am not active much on the list so please don't roast me if I am completely wrong here.
Regards,
Dovid [1] http://lists.opensips.org/pipermail/users/2023-March/046849.html [2] https://github.com/OpenSIPS/opensips/commit/dd9141b6f67d7df4072f3430f628d4b7... [3] https://github.com/kamailio/kamailio/blob/master/src/core/parser/digest/para... __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Fred,
OK. I will try to produce myself on an older version of OpenSips and if I succeed there I will try on Kamailio and report back.
On Wed, Mar 15, 2023 at 4:58 PM Fred Posner fred@pgpx.io wrote:
Just to add to what Henning has said… the report is very interesting. I did spot check a few of the examples, as Sandro excellently documented how to reproduce.
The reproduction (such as what you posted with param_parser did not produce the same crash as reported. If you can reproduce something here, please let us know (issue would be best) so it can be handled and documented.
Thanks,
—fred
On Mar 15, 2023, at 3:56 PM, Henning Westerholt hw@gilawa.com wrote:
Hello, thanks for sharing this. What was done in the security audit from them
is something that was done from many people already done in the past for the Kamailio project. Several people presented about it at different conferences.
Many modules are also not similar due to the different ways both
projects took (e.g., some modules are only present for one of the projects, Kamailio integrated many changes from the SER projects etc..).
That said, its probably still make sense to review the applicable parts
and make sure that it does not affect the current code.
Cheers, Henning -- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.com From: Dovid Bender dovid@telecurve.com Sent: Mittwoch, 15. März 2023 20:20 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Subject: [SR-Users] Issues/Vulnerabilities in OpenSipS that may affect
Kamailio
Hi All, OpenSipS just released an update to the audit that was done to OpenSips
[1]. From my basic coding skills it seems like the changes that were done by the OpenSipS project were not implemented in Kamailio which means that Kamailio is potentially vulnerable? For example you can compare the changes made by OpenSips project here [2] and the Kamailio code here [3]
I am not active much on the list so please don't roast me if I am
completely wrong here.
Regards,
Dovid [1] http://lists.opensips.org/pipermail/users/2023-March/046849.html [2]
https://github.com/OpenSIPS/opensips/commit/dd9141b6f67d7df4072f3430f628d4b7...
[3]
https://github.com/kamailio/kamailio/blob/master/src/core/parser/digest/para...
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hi all -
We just posted about the OpenSIPS security audit report and actually commented about this topic: https://www.rtcsec.com/post/2023/03/opensips-security-audit-report/#do-any-o...
Here is what I wrote:
As of yet, we do not have a definitive answer. My initial impression, based on a spot check done some time ago, was that the issues did not appear applicable to the newest versions of Kamailio. But we are starting to take a second look and our opinion is actually changing. We plan to delve deeper into this topic, report to the Kamailio developers if anything is found and then publish a future blog post about it.
Regards, --
Sandro Gauci, CEO at Enable Security GmbH
Register of Companies: AG Charlottenburg HRB 173016 B Company HQ: Neuburger Straße 101 b, 94036 Passau, Germany RTCSec Newsletter: https://www.rtcsec.com/subscribe Our blog: https://www.rtcsec.com Other points of contact: https://www.enablesecurity.com/contact/
On Wed, 15 Mar 2023, at 10:17 PM, Dovid Bender wrote:
Fred,
OK. I will try to produce myself on an older version of OpenSips and if I succeed there I will try on Kamailio and report back.
On Wed, Mar 15, 2023 at 4:58 PM Fred Posner fred@pgpx.io wrote:
Just to add to what Henning has said… the report is very interesting. I did spot check a few of the examples, as Sandro excellently documented how to reproduce.
The reproduction (such as what you posted with param_parser did not produce the same crash as reported. If you can reproduce something here, please let us know (issue would be best) so it can be handled and documented.
Thanks,
—fred
On Mar 15, 2023, at 3:56 PM, Henning Westerholt hw@gilawa.com wrote:
Hello, thanks for sharing this. What was done in the security audit from them is something that was done from many people already done in the past for the Kamailio project. Several people presented about it at different conferences. Many modules are also not similar due to the different ways both projects took (e.g., some modules are only present for one of the projects, Kamailio integrated many changes from the SER projects etc..). That said, its probably still make sense to review the applicable parts and make sure that it does not affect the current code. Cheers, Henning -- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.com From: Dovid Bender dovid@telecurve.com Sent: Mittwoch, 15. März 2023 20:20 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Subject: [SR-Users] Issues/Vulnerabilities in OpenSipS that may affect Kamailio Hi All, OpenSipS just released an update to the audit that was done to OpenSips [1]. From my basic coding skills it seems like the changes that were done by the OpenSipS project were not implemented in Kamailio which means that Kamailio is potentially vulnerable? For example you can compare the changes made by OpenSips project here [2] and the Kamailio code here [3] I am not active much on the list so please don't roast me if I am completely wrong here.
Regards,
Dovid [1] http://lists.opensips.org/pipermail/users/2023-March/046849.html [2] https://github.com/OpenSIPS/opensips/commit/dd9141b6f67d7df4072f3430f628d4b7... [3] https://github.com/kamailio/kamailio/blob/master/src/core/parser/digest/para... __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
-
Dovid Bender -
Fred Posner -
Henning Westerholt -
Sandro Gauci