CVE-2023-22741
Vulnerability from cvelistv5
Published
2023-01-19 21:20
Modified
2024-08-02 10:20
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification. In affected versions Sofia-SIP **lacks both message length and attributes length checks** when it handles STUN packets, leading to controllable heap-over-flow. For example, in stun_parse_attribute(), after we get the attribute's type and length value, the length will be used directly to copy from the heap, regardless of the message's left size. Since network users control the overflowed length, and the data is written to heap chunks later, attackers may achieve remote code execution by heap grooming or other exploitation methods. The bug was introduced 16 years ago in sofia-sip 1.12.4 (plus some patches through 12/21/2006) to in tree libs with git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@3774 d0543943-73ff-0310-b7d9-9358b9ac24b2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
security-advisories@github.comhttps://github.com/freeswitch/sofia-sip/commit/da53e4fbcb138b080a75576dd49c1fff2ada2764Patch, Third Party Advisory
security-advisories@github.comhttps://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54Exploit, Patch, Third Party Advisory
security-advisories@github.comhttps://www.debian.org/security/2023/dsa-5410
af854a3a-2127-422b-91ae-364da2661108https://github.com/freeswitch/sofia-sip/commit/da53e4fbcb138b080a75576dd49c1fff2ada2764Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54Exploit, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2023/dsa-5410
Impacted products
Vendor Product Version
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T10:20:30.275Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54"
          },
          {
            "name": "https://github.com/freeswitch/sofia-sip/commit/da53e4fbcb138b080a75576dd49c1fff2ada2764",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/freeswitch/sofia-sip/commit/da53e4fbcb138b080a75576dd49c1fff2ada2764"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2023/dsa-5410"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "sofia-sip",
          "vendor": "freeswitch",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.13.11"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification. In affected versions Sofia-SIP **lacks both message length and attributes length checks** when it handles STUN packets, leading to controllable heap-over-flow. For example, in stun_parse_attribute(), after we get the attribute\u0027s type and length value, the length will be used directly to copy from the heap, regardless of the message\u0027s left size. Since network users control the overflowed length, and the data is written to heap chunks later, attackers may achieve remote code execution by heap grooming or other exploitation methods. The bug was introduced 16 years ago in sofia-sip 1.12.4 (plus some patches through 12/21/2006) to in tree libs with git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@3774 d0543943-73ff-0310-b7d9-9358b9ac24b2. Users are advised to upgrade. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-120",
              "description": "CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-01-19T21:20:22.744Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54"
        },
        {
          "name": "https://github.com/freeswitch/sofia-sip/commit/da53e4fbcb138b080a75576dd49c1fff2ada2764",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/freeswitch/sofia-sip/commit/da53e4fbcb138b080a75576dd49c1fff2ada2764"
        },
        {
          "url": "https://www.debian.org/security/2023/dsa-5410"
        }
      ],
      "source": {
        "advisory": "GHSA-8599-x7rq-fr54",
        "discovery": "UNKNOWN"
      },
      "title": "heap-over-flow in stun_parse_attribute in sofia-sip"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-22741",
    "datePublished": "2023-01-19T21:20:22.744Z",
    "dateReserved": "2023-01-06T14:21:05.892Z",
    "dateUpdated": "2024-08-02T10:20:30.275Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-22741\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-01-19T22:15:11.273\",\"lastModified\":\"2024-11-21T07:45:20.117\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification. In affected versions Sofia-SIP **lacks both message length and attributes length checks** when it handles STUN packets, leading to controllable heap-over-flow. For example, in stun_parse_attribute(), after we get the attribute\u0027s type and length value, the length will be used directly to copy from the heap, regardless of the message\u0027s left size. Since network users control the overflowed length, and the data is written to heap chunks later, attackers may achieve remote code execution by heap grooming or other exploitation methods. The bug was introduced 16 years ago in sofia-sip 1.12.4 (plus some patches through 12/21/2006) to in tree libs with git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@3774 d0543943-73ff-0310-b7d9-9358b9ac24b2. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"Sofia-SIP es una librer\u00eda SIP User-Agent de c\u00f3digo abierto que cumple con la especificaci\u00f3n IETF RFC3261. En las versiones afectadas, Sofia-SIP **carece de comprobaciones de la longitud del mensaje y de la longitud de los atributos** cuando maneja paquetes STUN, lo que provoca un desbordamiento controlable del almacenamiento din\u00e1mico. Por ejemplo, en stun_parse_attribute(), despu\u00e9s de obtener el tipo y el valor de longitud del atributo, la longitud se usar\u00e1 directamente para copiar desde el heap, independientemente del tama\u00f1o izquierdo del mensaje. Dado que los usuarios de la red controlan la longitud desbordada y los datos se escriben en fragmentos de heap m\u00e1s tarde, los atacantes pueden lograr la ejecuci\u00f3n remota de c\u00f3digo mediante la preparaci\u00f3n del heap u otros m\u00e9todos de explotaci\u00f3n. El error se introdujo hace 16 a\u00f1os en sofia-sip 1.12.4 (m\u00e1s algunos parches hasta el 21/12/2006) en las librer\u00edas del \u00e1rbol con git-svn-id: http://svn.freeswitch.org/svn/freeswitch/ tronco@3774 d0543943-73ff-0310-b7d9-9358b9ac24b2. Se recomienda a los usuarios que actualicen. No se conocen soluciones para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-120\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:signalwire:sofia-sip:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.13.11\",\"matchCriteriaId\":\"0DF9E38A-C29D-4A98-82E7-5CAF18A94054\"}]}]}],\"references\":[{\"url\":\"https://github.com/freeswitch/sofia-sip/commit/da53e4fbcb138b080a75576dd49c1fff2ada2764\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2023/dsa-5410\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/freeswitch/sofia-sip/commit/da53e4fbcb138b080a75576dd49c1fff2ada2764\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2023/dsa-5410\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.