[sr-dev] Security announcement related to Kamailio

Henning Westerholt hw at kamailio.org
Mon Jul 30 09:53:39 CEST 2018


Hello,

I want to highlight that the last stable versions (for the two maintained 
series: 5.0 and 5.1) include fixes for an security issues that can crash a 
running instance of Kamailio, therefore it is strongly recommended to upgrade.


Details:

There exists a security vulnerability in the Kamailio SIP server related to 
"To" header processing. A specially crafted SIP message with double "To" 
header and an empty "To" tag causes a segmentation fault and crashes Kamailio. 
The reason is missing input validation in the "build_res_buf_from_sip_req" 
core function.

If an attacker sends many of this messages this would lead to a Denial of 
Service of the attacked infrastructure. This is especially critical as no 
authentication for the remote source is needed.

You find all the details including a proof of concept code in the published 
security announcement in my blog:

https://skalatan.de/blog/advisory-hw-2018-05

A CVE report for this issue is going to be created as well in the near future.


The issues were found some months ago and were fixed quickly. The code related 
to the reported issues is rather old and there are no known incidents of 
exploiting these issues so far. However, once the CVE report becomes public, 
there could be a higher risk of exploitation.

Please address any detailed technical questions related to this to the 
developer list at sr-dev at lists.kamailio.org .


In case of confidential remarks related to this or other security issues, 
please address them to the Kamailio Management.

Best regards,

Henning Westerholt


-- 
Henning Westerholt
https://skalatan.de/blog/




More information about the sr-dev mailing list