Headline
CVE-2023-27599: Vulnerability in the parse_to_param() function
OpenSIPS is a Session Initiation Protocol (SIP) server implementation. Prior to versions 3.1.7 and 3.2.4, when the function append_hf handles a SIP message with a malformed To header, a call to the function abort() is performed, resulting in a crash. This is due to the following check in data_lump.c:399 in the function anchor_lump. An attacker abusing this vulnerability will crash OpenSIPS leading to Denial of Service. It affects configurations containing functions that make use of the affected code, such as the function append_hf. This issue has been fixed in versions 3.1.7 and 3.2.4.
When the function append_hf handles a SIP message with a malformed To header, a call to the function abort() is performed resulting in a crash. This is due to the following check in data_lump.c:399 in the function anchor_lump.
The payload that crashes the server is:
OPTIONS sip:127.0.0.1 SIP/2.0<CRLF>
Via: SIP/2.0/UDP 192.168.1.223:59589;rport;branch=z9hG4bK-dnOo7rULZLiOjRDh<CRLF>
To: a;a="T\
Impact
An attacker abusing this vulnerability will crash OpenSIPS leading to Denial of Service. It affects configurations containing functions that make use of the affected code, such as the function append_hf.
Patches
This issue has been fixed by commit cb56694.
References
Read more about this issue in the Audit Document section 3.8.
For more information
If you have any questions or comments about this advisory:
- Open an issue in the OpenSIPS GitHub
- Email us at [email protected]