Tags › CVE-2021-37624
FreeSWITCH: unauthenticated SIP MESSAGE requests allow spam and spoofing
Published on Oct 25, 2021 in CVE-2021-37624, freeswitch, security advisory
- Fixed versions: v1.10.7
- Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2021-07-freeswitch-SIP-MESSAGE-without-auth/
- Vendor Security Advisory: https://github.com/signalwire/freeswitch/security/advisories/GHSA-mjcm-q9h8-9xv3
- Other references: CVE-2021-37624
- Tested vulnerable versions: <= v1.10.6
- Timeline:
- Report date: 2021-06-07
- Fix provided for testing: 2021-07-27
- Vendor release with fix: 2021-10-24
- Enable Security advisory: 2021-10-25
Description
By default, SIP requests of the type MESSAGE (RFC 3428) are not authenticated in the affected versions of FreeSWITCH. MESSAGE requests are relayed to SIP user agents registered with the FreeSWITCH server without requiring any authentication. Although this behaviour can be changed by setting the auth-messages parameter to true, it is not the default setting.
