[SR-Users] Kamailio vulnerable to header smuggling possible due to bypass of remove_hf
Maxim Sobolev
sobomax at sippysoft.com
Wed Sep 2 19:26:45 CEST 2020
Hey Daniel, Henning, Tao,
Thanks for commenting out. There are a lot of opinions for me to address
individually, so I will just clarify my opinion. The only substantial
difference I think is whether the issue at hand warrants a security
advisory to be issued by the Kamailio project or not. I totally think that
it does, but it looks like I am in the minority here.
Why do I think this way? Well, the first argument is a bit empirical. It is
hard to generalize out of sample size 1, but in like 90% engagements where
I had to use SIP Proxy element and integrate it with different SIP elements
I ended up using "private headers" for passing information between elements
within that setup. So the task of cleaning up those headers at the edge of
the network is very relevant at least to some users. It also matches
Sandro's assessment, which gives it at least some credibility.
Second, a more general one. Not only I have some experience in software
development field, but also I got a chance to participate in much bigger
and older open source projects (i.e. FreeBSD Project, 400+ active
developers, 1,000+ contributors) so I have seen how security is dealt with
properly in a mature open source project. You guys might fancy the fact
that Kamailio issued the last security advisory in 2018 as a "code quality"
indicator, but to me that shows a total lack of proper security process.
With the code base of its size, I'd expect at least several security issues
of various criticality being found per year. I frankly don't understand the
pushback I am getting. It almost looks like issuing such advisory is viewed
as harmful and damaging on project "spotless" reputation or something.
However in my view it would show respect to users and understanding that
many of those users might be using it in a way that differs from its
creators.
It might come as a surprise to some of you, but 95% of Kamailio users are
not reading this and those lists or following Sandro's work in general.
However, if there were a section "Security Advisories" on kamailio.org that
would be the place to go. And those users are often not individuals, but
companies building their products and solutions atop of Kamailio.
Also properly issued security advisory helps package maintainers, any linux
distro of decent size has its own process to handle and disseminate those
among their own users to update package ASAP. But if Kamailio chooses to
not issue any it basically cuts itself out of that process.
And last but not least, to the remark that I need to step in and fix
things, well I am hardly a person to do that. Too many projects and too
little time, however I also don't think I cannot voice my opinion, or can
I? By the way I know at least one person in the Kamailio community that
might be more fit as a "Kamailio Security Officer": Olle E. Johansson.
Olle, what's your take on this? Does this problem warrants security
advisory?
-Max
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20200902/315d0bc9/attachment.htm>
More information about the sr-users
mailing list