Authentication and denial of service risks for DIY PBX tech patched
Security researchers have gone public about a set of five vulnerabilities in telecoms stack software FreeSwitch.
The quintet of flaws – all discovered by a team from German telecoms security consultancy Enable Security – lead to denial of service, authentication problems and information leakage for systems running FreeSwich.
FreeSwitch is an open source, software-defined telecoms stack that allows multi-purpose devices, ranging from a Raspberry-Pi to multi-core servers, to act as telecoms switches.
Enable Security worked with developers so that all five flaws were fixed with FreeSwitch 1.10.7, released on October 25.
Hanging on the telephone
The various flaws involve services related to providing WebRTC (Web Real-Time Communication), a technology that allows audio and video communication within web pages without the need to install plugins, as well as Session Initiation Protocol (SIP), a signalling and control protocol used in IP telephony and elsewhere.
The first vulnerability (tracked as CVE-2021-41105, with a CVSS Score of 7.5) makes it possible for an attacker to disconnect any ongoing calls by flooding a FreeSwitch installation with invalid SRTP (Secure Real-time Transport Protocol) packets.
No authentication is required to trigger this denial of service, which works by preventing a FreeSwitch install from unpacking encrypted data and authentication traffic packed up using SRTP.
Another high-severity flaw (CVE-2021-41145, CVSS score 8.6) leaves FreeSwitch at risk of denial of service through SIP flooding. Memory on a device can be exhausted if an attack targets a switch with enough junk SIP messages.
As with the previous flaw, no authentication is required.
A third high severity vulnerability (CVE-2021-37624) stemmed from shortcomings in how FreeSwitch authenticated SIP message requests.
By default, SIP ‘MESSAGE’ requests are not authenticated in the affected versions of FreeSwitch – opening the door to spam and message spoofing.
A lesser, moderate severity flaw (CVE-2021-41158) means that miscreants can carry out a SIP digest leak attack against FreeSwitch and receive the challenge response of a gateway configured on the FreeSwitch server. This leaked data might be used to determine a gateway password.
Lastly, a failure of previous versions of FreeSwitch to authenticate SIP ‘SUBSCRIBE’ requests, which are used to subscribe to user agent event notifications, created a moderate privacy risk.
In a technical blog post, Enable Security explains these various vulnerabilities in more depth. The Daily Swig asked it to estimate the number of potential vulnerable systems as well as offering a take on lessons that might be gleaned from its research.
We’re yet to hear back, but one message is crystal clear from Enable Security’s blog post: businesses running the affected software should patch their systems or risk being compromised.
DON’T FORGET TO READ ‘Professional cybercriminals’ blamed for DDoS attacks against UK telecoms providers