Tags › CVE-2021-41157
FreeSWITCH: unauthenticated SIP SUBSCRIBE requests by default
Published on Oct 25, 2021 in CVE-2021-41157, freeswitch, security advisory
- Fixed versions: v1.10.7
- Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2021-08-freeswitch-SIP-SUBSCRIBE-without-auth/
- Vendor Security Advisory: https://github.com/signalwire/freeswitch/security/advisories/GHSA-g7xg-7c54-rmpj
- Other references: CVE-2021-41157
- Tested vulnerable versions: <= v1.10.5
- Timeline:
- Report date: 2021-06-07
- Triaged: 2021-06-08
- Fix provided for testing: 2021-10-01
- Vendor release with fix: 2021-10-24
- Enable Security advisory: 2021-10-25
Description
By default, SIP requests of the type SUBSCRIBE are not authenticated in the affected versions of FreeSWITCH. Although this issue was fixed in version v1.10.6, installations upgraded to the fixed version of FreeSWITCH from an older version, may still be vulnerable if the configuration is not updated accordingly. For good reason, by default, software upgrades do not update the configuration.
…