Sofia-sip security issues

[UCtech]

Since FusionPBX/Freeswitch uses Sofia-sip, these security vulns caught my eye:

Build software better, together

GitHub is where people build software. More than 100 million people use GitHub to discover, fork, and contribute to over 420 million projects.

github.com

CVE-2022-31003 : Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Agent library. Prior to version 1.13.8, when parsing

CVE-2022-31003 : Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Agent library. Prior to version 1.13.8, when parsing each line of a sdp message, `rest = record + 2` will access the memory behind `\0` and cause an out-of-bounds write. An attacker can send a message with evil...

www.cvedetails.com

CVE-2022-31002 : Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Agent library. Prior to version 1.13.8, an attacker c

CVE-2022-31002 : Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Agent library. Prior to version 1.13.8, an attacker can send a message with evil sdp to FreeSWITCH, which may cause a crash. This type of crash may be caused by a URL ending with `%`. Version 1.13.8 contains a...

www.cvedetails.com

CVE-2022-31001 : Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Agent library. Prior to version 1.13.8, an attacker c

CVE-2022-31001 : Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Agent library. Prior to version 1.13.8, an attacker can send a message with evil sdp to FreeSWITCH, which may cause crash. This type of crash may be caused by `#define MATCH(s, m) (strncmp(s, m, n = sizeof(m) -...

www.cvedetails.com

CVE rating is 5 to 7.5
My Debian 10 install had a vulnerable version 1.13.7 (lib-sofia-ua) and would not upgrade due to the Signalwire token authentication issues.

 

[UCtech]

I don't know if there is a better way, but I resolved this for my system by following these guides:

HOWTO Create a SignalWire Personal Access Token - FreeSWITCH - Confluence

freeswitch.org

Debian - FreeSWITCH - Confluence

freeswitch.org

I wasn't sure how this would work as it says it is for installing Freeswitch but it also works for the other Signalwire packages.

Note: on the "Installing FreeSWITCH" instructions, I used the 1st part to get the OS set up to update using the token, but did not need to install Freeswitch as I just wanted to update Sofia-Sip. The user=signalwire part seems to work undmodified even though a different username is provided when getting the token. I just then replaced the $token with my Signalwire free token and ran the commands. Afterwards I was able to do normal OS updates (Apt) for Signalwire software.

 

[qtph]

How does one check Sofia-Sip verison after a fresh install on Ubuntu?

 

[UCtech]

There are many different ways to check this. Search engines might help. Here is one method:
apt list
Then look in the list for:
libsofia-sip-ua-dev/stable 1.13.9-105~2a6190f892~buster amd64
libsofia-sip-ua-glib-dev/stable 1.13.9-105~2a6190f892~buster amd64
libsofia-sip-ua-glib3-dbgsym/stable 1.13.9-105~2a6190f892~buster amd64
libsofia-sip-ua-glib3/stable 1.13.9-105~2a6190f892~buster amd64
libsofia-sip-ua0-dbgsym/stable 1.13.9-105~2a6190f892~buster amd64
libsofia-sip-ua0/stable,now 1.13.9-105~2a6190f892~buster amd64 [installed,automatic]

The above is from a patched system on Debian 10. An unpatched system would show 1.13.7 or below. Ubuntu should be the same I would think . . .

 

[qtph]

# apt list \*sofia\*
Listing... Done
libsofia-sip-ua-dev/focal 1.12.11+20110422.1-2.1build1 arm64
libsofia-sip-ua-glib-dev/focal 1.12.11+20110422.1-2.1build1 arm64
libsofia-sip-ua-glib3/focal 1.12.11+20110422.1-2.1build1 arm64
libsofia-sip-ua0/focal 1.12.11+20110422.1-2.1build1 arm64
sofia-sip-bin/focal 1.12.11+20110422.1-2.1build1 arm64
sofia-sip-doc/focal 1.12.11+20110422.1-2.1build1 all
telepathy-sofiasip/focal 0.8.0-3ubuntu1 all