[SR-Users] Security announcement related to Kamailio

Henning Westerholt hw at kamailio.org
Mon Mar 19 09:49:55 CET 2018 

Hello,

as already announced from Daniel-Constantin Mierla on the lists last Wednesday 
[1], we strongly advise you to update your Kamailio installation to the latest 
stable release for security reasons.

All supported releases (4.4, 5.0. and 5.1) contains two important security 
fixes related to the tmx and lcr module.


Technical details for the tmx issue:

A specially crafted REGISTER message with a malformed branch or From tag 
triggers a so called "off-by-one heap overflow". This vulnerability existed in 
the tmx module and makes it possible to remotely crash the Kamailio service. 

If an attacker sends many of this messages this would lead to a Denial of 
Service of the attacked infrastructure. This is especially critical as no 
authentication for the remote source is needed.

This vulnerability was found from Sandro Gauci and Alfred Farrugia from the 
Security Company Enable Security. Many thanks to them for finding the issue 
and reporting it to us.

You find all the details including a proof of concept code in the published 
security announcement from them:

https://github.com/EnableSecurity/advisories/tree/master/ES2018-05-kamailio-heap-overflow


Technical details for the lcr issue:

A vulnerability existed in the lcr next_gw() function. It happens when
a very long R-URI username is sent with an INVITE due to an mistake in the 
function error code handling. It can be triggered from a remote source, but
should be only from a trusted peer, as it expected that calls going
through lcr are authenticated by user or IP address.

This vulnerability was reported from an user in the Netherlands to us, thanks 
as well for the bug report.


So far we are not aware of any public exploits of this errors. But as already 
mentioned, we advise you to update your Kamailio servers to the latest stable 
release as soon as possible, especially as the tmx vulnerability will reported 
to more security lists later today.


Please address any detailed technical questions related to the two bugs to the 
developer list at sr-dev at lists.kamailio.org .

In case of confidential remarks related to this or other security issues, 
please address them to the Kamailio Management at management at kamailio.org .


Best regards,

Henning Westerholt
Kamailio Project


[1] https://lists.kamailio.org/pipermail/sr-users/2018-March/100672.html

More information about the sr-users mailing list