As many as five security vulnerabilities have been disclosed in the PJSIP open-source multimedia communication library that could be abused by an attacker to trigger arbitrary code execution and denial-of-service (DoS) in applications that use the protocol stack.
The weaknesses were identified and reported by JFrog’s Security Research team, following which the project maintainers released patches (version 2.12) last week on February 24, 2022.
PJSIP is an open-source embedded SIP protocol suite written in C that supports audio, video, and instant messaging features for popular communication platforms such as WhatsApp and BlueJeans. It’s also used by Asterisk, a widely-used private branch exchange (PBX) switching system for VoIP networks.
“Buffers used in PJSIP typically have limited sizes, especially the ones allocated in the stack or supplied by the application, however in several places, we do not check if our usage can exceed the sizes,” PJSIP’s developer Sauw Ming noted in an advisory posted on GitHub last month, a scenario that could result in buffer overflows.
The list of flaws is as follows –
- CVE-2021-43299 (CVSS score: 8.1) – Stack overflow in PJSUA API when calling pjsua_player_create()
- CVE-2021-43300 (CVSS score: 8.1) – Stack overflow in PJSUA API when calling pjsua_recorder_create()
- CVE-2021-43301 (CVSS score: 8.1) – Stack overflow in PJSUA API when calling pjsua_playlist_create()
- CVE-2021-43302 (CVSS score: 5.9) – Read out-of-bounds in PJSUA API when calling pjsua_recorder_create()
- CVE-2021-43303 (CVSS score: 5.9) – Buffer overflow in PJSUA API when calling pjsua_call_dump()
Successful exploitation of the aforementioned flaws could enable a malicious actor to pass attacker-controlled arguments to any of the vulnerable APIs, leading to code execution and a DoS condition, Uriya Yavnieli, JFrog researcher who reported the flaws, said.