CVE-2021-41145

Name
CVE-2021-41145
Description
Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. FreeSWITCH prior to version 1.10.7 is susceptible to Denial of Service via SIP flooding. When flooding FreeSWITCH with SIP messages, it was observed that after a number of seconds the process was killed by the operating system due to memory exhaustion. By abusing this vulnerability, an attacker is able to crash any FreeSWITCH instance by flooding it with SIP messages, leading to Denial of Service. The attack does not require authentication and can be carried out over UDP, TCP or TLS. This issue was patched in version 1.10.7.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
CONFIRM https://github.com/signalwire/freeswitch/security/advisories/GHSA-jvpq-23v4-gp3m
MISC https://github.com/signalwire/freeswitch/releases/tag/v1.10.7
FULLDISC http://seclists.org/fulldisclosure/2021/Oct/42

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:freeswitch:freeswitch:*:*:*:*:*:*:*:* freeswitch >= None < 1.10.7

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
freeswitch 3.14-main 1.10.6-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freeswitch 3.13-main 1.10.5-r1 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freeswitch 3.12-main 1.10.3-r2 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freeswitch 3.11-main 1.8.7-r1 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freeswitch edge-main 1.10.7-r0 Natanael Copa <ncopa@alpinelinux.org> fixed