Sofia-sip security issues

Status
Not open for further replies.
U

UCtech

Member
Jan 9, 2019
36
7
8
Since FusionPBX/Freeswitch uses Sofia-sip, these security vulns caught my eye:
github.com

Build software better, together

GitHub is where people build software. More than 100 million people use GitHub to discover, fork, and contribute to over 420 million projects.
github.com github.com

CVE-2022-31003 : Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Agent library

CVE-2022-31003 : Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Agent library. Prior to version 1.13.8, when parsing each line of a sdp message, `r
www.cvedetails.com

CVE-2022-31002 : Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Agent library

CVE-2022-31002 : Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Agent library. Prior to version 1.13.8, an attacker can send a message with evil sd
www.cvedetails.com

CVE-2022-31001 : Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Agent library

CVE-2022-31001 : Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Agent library. Prior to version 1.13.8, an attacker can send a message with evil sd
www.cvedetails.com

CVE rating is 5 to 7.5
My Debian 10 install had a vulnerable version 1.13.7 (lib-sofia-ua) and would not upgrade due to the Signalwire token authentication issues.
 
U

UCtech

Member
Jan 9, 2019
36
7
8
I don't know if there is a better way, but I resolved this for my system by following these guides:

HOWTO Create a SignalWire Personal Access Token - FreeSWITCH - Confluence

freeswitch.org freeswitch.org

Debian - FreeSWITCH - Confluence

freeswitch.org freeswitch.org
I wasn't sure how this would work as it says it is for installing Freeswitch but it also works for the other Signalwire packages.

Note: on the "Installing FreeSWITCH" instructions, I used the 1st part to get the OS set up to update using the token, but did not need to install Freeswitch as I just wanted to update Sofia-Sip. The user=signalwire part seems to work undmodified even though a different username is provided when getting the token. I just then replaced the $token with my Signalwire free token and ran the commands. Afterwards I was able to do normal OS updates (Apt) for Signalwire software.
 
U

UCtech

Member
Jan 9, 2019
36
7
8
There are many different ways to check this. Search engines might help. Here is one method:
apt list
Then look in the list for:
libsofia-sip-ua-dev/stable 1.13.9-105~2a6190f892~buster amd64
libsofia-sip-ua-glib-dev/stable 1.13.9-105~2a6190f892~buster amd64
libsofia-sip-ua-glib3-dbgsym/stable 1.13.9-105~2a6190f892~buster amd64
libsofia-sip-ua-glib3/stable 1.13.9-105~2a6190f892~buster amd64
libsofia-sip-ua0-dbgsym/stable 1.13.9-105~2a6190f892~buster amd64
libsofia-sip-ua0/stable,now 1.13.9-105~2a6190f892~buster amd64 [installed,automatic]

The above is from a patched system on Debian 10. An unpatched system would show 1.13.7 or below. Ubuntu should be the same I would think . . .
 
Q

qtph

New Member
Oct 30, 2022
26
0
1
Code: 
# apt list \*sofia\*
Listing... Done
libsofia-sip-ua-dev/focal 1.12.11+20110422.1-2.1build1 arm64
libsofia-sip-ua-glib-dev/focal 1.12.11+20110422.1-2.1build1 arm64
libsofia-sip-ua-glib3/focal 1.12.11+20110422.1-2.1build1 arm64
libsofia-sip-ua0/focal 1.12.11+20110422.1-2.1build1 arm64
sofia-sip-bin/focal 1.12.11+20110422.1-2.1build1 arm64
sofia-sip-doc/focal 1.12.11+20110422.1-2.1build1 all
telepathy-sofiasip/focal 0.8.0-3ubuntu1 all
 
Status
Not open for further replies.
Top Bottom