Tags › CVE-2020-28361
Kamailio: header smuggling via remove_hf bypass
Published on Sep 1, 2020 in CVE-2020-28361, kamailio, security advisory
- Fixed versions: Kamailio v5.4.0
- Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2020-01-kamailio-remove-hf/
- Reproduction tools: https://github.com/EnableSecurity/advisories/tree/master/ES2020-01-kamailio-remove-hf
- References: CVE-2020-28361
- Tested vulnerable versions: 5.3.5 and earlier
- Timeline:
- Report date & issue patched by Kamailio: 2020-07-16
- Kamailio rewrite for header parser (better fix): 2020-07-16 to 2020-07-23
- Kamailio release with fix: 2020-07-29
- Enable Security advisory: 2020-09-01
Description
Kamailio is often configured to remove certain special internal SIP headers from untrusted traffic to protect against header injection attacks by making use of the remove_hf function from the Kamailio textops module. These SIP headers were typically set through Kamailio which are then used downstream, e.g. by a media service based on Asterisk, to affect internal business logic decisions. During our tests and research, we noticed that the removal of these headers can be bypassed by injecting whitespace characters at the end of the header name.
