Attackers Remotely Exploit Bugs in Linphone Session Initiation Protocol (SIP) Stack – E Hacking News
A team of researchers recently revealed data regarding a zero-click security vulnerability in the Linphone Session Initiation Protocol (SIP) stack that may have been effectively abused without even any effort from the victim’s side to corrupt the SIP client as well as trigger a denial-of-service (DoS) situation.
Linphone is a 20-year-old open-source voice-over IP (VoIP) project that claims to have been the first open-source software on Linux to use the Session Initiation Protocol (SIP). Its SIP software is used by developers and programmers to create communication systems that incorporate instant messaging, audio, and video. It is developed and maintained by France-based Belledonne Communications.
The flaw, identified as CVE-2021-33056 (CVSS score: 7.5) by researchers, is a NULL pointer dereference vulnerability in the “belle-sip” component, a C-language library that is used to construct SIP transport, transaction, and dialogue layers, with all generations previous to 4.5.20 compromised by the bug. Claroty, an industrial cybersecurity firm, detected and reported the flaw.
To a certain end, the remotely manipulable security flaw can be enabled by appending a malevolent forward-slash (“</”) to a SIP message header such as To (the call recipient), From (the call initiator), or Diversion (redirect the destination endpoint), culminating in a collapse of the SIP client program that uses the belle-sip library to manage and parse SIP messages.
This bug is a zero-click vulnerability, as submitting an INVITE SIP request with a particularly designed From/To/Diversion header leads the SIP client to crash. As a result, any application that uses belle-sip to examine SIP messages will become inaccessible if a fraudulent SIP “call.” is received.
“Successful exploits targeting IoT vulnerabilities have demonstrated they can provide an effective foothold onto enterprise networks,” Brizinov said. “A flaw in a foundational protocol such as the SIP stack in VoIP phones and applications can be especially troublesome given the scale and reach shown by attacks against numerous other third-party components used by developers in software projects.”
Furthermore, the latest updates for the core protocol stack have been released, companies who depend on the impacted SIP stack in their products must apply the changes downstream.