Tags › Security Advisory

SIPGO: Response DoS vulnerability via nil pointer dereference

• CVSS v4.0
  • Exploitability: High
  • Complexity: Low
  • Vulnerable system: High
  • Subsequent system: None
  • Exploitation: High
  • Security requirements: High
  • Vector: link
• Other references:
  • CVE-2025-68274
  • GHSA-c623-f998-8hhv
  • CWE-476: NULL Pointer Dereference
  • CWE-755: Improper Handling of Exceptional Conditions
• Fixed versions: >= v1.0.0-alpha-1
• Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2025-02-sipgo-response-dos/
• Reproduction tools: https://github.com/EnableSecurity/advisories/tree/master/ES2025-02-sipgo-response-dos
• Tested vulnerable versions: >= v0.3.0, < v1.0.0-alpha-1
• Timeline:
  • First discovery: 2025-08-31
  • Root cause analysis: 2025-08-31
  • Fix developed: 2025-08-31
  • Regression tests created: 2025-08-31
  • Enable Security advisory: 2025-12-17

Description

A nil pointer dereference vulnerability was discovered in the SIPGO library’s NewResponseFromRequest function that affects all normal SIP operations. The vulnerability allows remote attackers to crash any SIP application by sending a single malformed SIP request without a To header.

rtpengine: RTP Inject and RTP Bleed vulnerabilities despite proper configuration

• CVSS v4.0
  • Exploitability: High
  • Complexity: Low
  • Vulnerable system: Medium
  • Subsequent system: Medium
  • Exploitation: High
  • Security requirements: High
  • Vector: link
• Other references: CVE-2025-53399
• Fixed versions: >= mr13.4.1.1
• Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2025-01-rtpengine-improper-behavior-bleed-inject/
• Reproduction tools: https://github.com/EnableSecurity/advisories/tree/master/ES2025-01-rtpengine-improper-behavior-bleed-inject
• Tested vulnerable versions: mr13.3.1.4 and lower
• Timeline:
  • First report: 2025-04-24
  • Triaged: 2025-04-30
  • Fix provided for testing: 2025-05-05
  • Various back and forth and more fixes: 2025-05 / 2025-06
  • Vendor applied all fixes satisfactorily to master branch: 2025-06-05
  • Enable Security verified and confirmed fix: 2025-06-26
  • Vendor release with fix (mr13.4.1.1): 2025-07-03
  • Enable Security advisory: 2025-07-31

Description

Media servers often support source address learning to dynamically adapt to network conditions and client behavior. This is especially useful in scenarios involving NAT where the source IP and port of incoming RTP packets may differ from what was initially signaled via SDP over SIP. However, this mechanism can be exploited for two types of attacks if malicious packets are accepted as legitimate:

FreeSWITCH: denial of service via DTLS Hello packets during call initiation

• Fixed versions: 1.10.11
• Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2023-02-freeswitch-dtls-hello-race/
• Vendor Security Advisory: https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6
• Other references: CVE-2023-51443
• Tested vulnerable versions: 1.10.10
• Timeline:
  • Report date: 2023-09-27
  • Triaged: 2023-09-27
  • Fix provided for testing: 2023-09-29
  • Vendor release with fix: 2023-12-22
  • Enable Security advisory: 2023-12-22

TL;DR

When handling DTLS-SRTP for media setup, FreeSWITCH is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack.

rtpengine: denial of service via DTLS Hello packets during call initiation

• Fixed versions: mr12.1.1.2, mr12.0.1.3, mr11.5.1.16, mr10.5.6.3, mr10.5.6.2, mr9.5.8.2, mr8.5.12.2
• Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2023-03-rtpengine-dtls-hello-race/
• Vendor Patch: https://github.com/sipwise/rtpengine/commit/e969a79428ac4a15cdf1c0a1c6f266dbdc7e60b6
• Other references: CVE-2023-51275
• Tested vulnerable versions: mr11.5.1.6
• Timeline:
  • Report date: 2023-10-02
  • Triaged: 2023-10-02
  • Fix provided for testing: 2023-11-16
  • Enable Security verified fix: 2023-12-14
  • Vendor release with fix: 2023-12-14
  • Enable Security advisory: 2023-12-15

TL;DR

When handling DTLS-SRTP for media setup, RTPEngine is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS encrypted calls during the attack.

Asterisk: denial of service via DTLS Hello packets during call initiation

• Fixed versions: 18.20.1, 20.5.1, 21.0.1,18.9-cert6
• Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2023-01-asterisk-dtls-hello-race/
• Vendor Security Advisory: https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq
• Other references: CVE-2023-49786
• Tested vulnerable versions: 20.1.0
• Timeline:
  • Report date: 2023-09-27
  • Triaged: 2023-09-27
  • Fix provided for testing: 2023-11-09
  • Vendor release with fix: 2023-12-14
  • Enable Security advisory: 2023-12-15

TL;DR

When handling DTLS-SRTP for media setup, Asterisk is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack.

FreeSWITCH: unauthenticated SIP SUBSCRIBE requests by default

• Fixed versions: v1.10.7
• Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2021-08-freeswitch-SIP-SUBSCRIBE-without-auth/
• Vendor Security Advisory: https://github.com/signalwire/freeswitch/security/advisories/GHSA-g7xg-7c54-rmpj
• Other references: CVE-2021-41157
• Tested vulnerable versions: <= v1.10.5
• Timeline:
  • Report date: 2021-06-07
  • Triaged: 2021-06-08
  • Fix provided for testing: 2021-10-01
  • Vendor release with fix: 2021-10-24
  • Enable Security advisory: 2021-10-25

Description

By default, SIP requests of the type SUBSCRIBE are not authenticated in the affected versions of FreeSWITCH. Although this issue was fixed in version v1.10.6, installations upgraded to the fixed version of FreeSWITCH from an older version, may still be vulnerable if the configuration is not updated accordingly. For good reason, by default, software upgrades do not update the configuration.

FreeSWITCH: unauthenticated SIP MESSAGE requests allow spam and spoofing

• Fixed versions: v1.10.7
• Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2021-07-freeswitch-SIP-MESSAGE-without-auth/
• Vendor Security Advisory: https://github.com/signalwire/freeswitch/security/advisories/GHSA-mjcm-q9h8-9xv3
• Other references: CVE-2021-37624
• Tested vulnerable versions: <= v1.10.6
• Timeline:
  • Report date: 2021-06-07
  • Fix provided for testing: 2021-07-27
  • Vendor release with fix: 2021-10-24
  • Enable Security advisory: 2021-10-25

Description

By default, SIP requests of the type MESSAGE (RFC 3428) are not authenticated in the affected versions of FreeSWITCH. MESSAGE requests are relayed to SIP user agents registered with the FreeSWITCH server without requiring any authentication. Although this behaviour can be changed by setting the auth-messages parameter to true, it is not the default setting.

FreeSWITCH: SIP digest leak for configured gateways

• Fixed versions: v1.10.7
• Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2021-05-freeswitch-vulnerable-to-SIP-digest-leak/
• Vendor Security Advisory: https://github.com/signalwire/freeswitch/security/advisories/GHSA-3v3f-99mv-qvj4
• Other references: CVE-2021-41158
• Tested vulnerable versions: <= v1.10.6
• Timeline:
  • Report date: 2021-04-22
  • Triaged: 2021-04-23
  • Fix provided for testing: 2021-08-13
  • Second fix provided for testing: 2021-09-14
  • Vendor release with fix: 2021-10-24
  • Enable Security advisory: 2021-10-25

Description

An attacker can perform a SIP digest leak attack against FreeSWITCH and receive the challenge response of a gateway configured on the FreeSWITCH server. This is done by challenging FreeSWITCH’s SIP requests with the realm set to that of the gateway, thus forcing FreeSWITCH to respond with the challenge response which is based on the password of that targeted gateway.

FreeSWITCH: denial of service via SIP flooding

• Fixed versions: v1.10.7
• Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2021-06-freeswitch-flood-dos/
• Vendor Security Advisory: https://github.com/signalwire/freeswitch/security/advisories/GHSA-jvpq-23v4-gp3m
• Other references: CVE-2021-41145
• Tested vulnerable versions: <= v1.10.6
• Timeline:
  • Report date: 2021-05-28
  • Triaged: 2021-06-18
  • Fix provided for testing: 2021-10-08
  • Second fix provided for testing: 2021-10-13
  • Vendor release with fix: 2021-10-24
  • Enable Security advisory: 2021-10-25

Description

When flooding FreeSWITCH with SIP messages, it was observed that after a number of seconds the process was killed by the operating system due to memory exhaustion. The following excerpt from syslog shows one such instance:

FreeSWITCH: denial of service via invalid SRTP packets

• Fixed versions: v1.10.7
• Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2021-09-freeswitch-srtp-dos/
• Vendor Security Advisory: https://github.com/signalwire/freeswitch/security/advisories/GHSA-jh42-prph-gp36
• Other references: CVE-2021-41105
• Tested vulnerable versions: <= v1.10.6
• Timeline:
  • Report date: 2021-09-06
  • Triaged: 2021-09-10
  • Fix provided for testing: 2021-09-17
  • Vendor release with fix: 2021-10-24
  • Enable Security advisory: 2021-10-25

TL;DR

When handling SRTP calls, FreeSWITCH is susceptible to a DoS where calls can be terminated by remote attackers. This attack can be done continuously, thus denying encrypted calls during the attack.

Description

When a media port that is handling SRTP traffic is flooded with a specially crafted SRTP packet, the call is terminated leading to denial of service. This issue was reproduced when using the SDES key exchange mechanism in a SIP environment as well as when using the DTLS key exchange mechanism in a WebRTC environment.