CVE-2023-22741

{"id": "CVE-2023-22741", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2023-01-19T22:15:11.273", "references": [{"url": "https://github.com/freeswitch/sofia-sip/commit/da53e4fbcb138b080a75576dd49c1fff2ada2764", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://www.debian.org/security/2023/dsa-5410", "source": "security-advisories@github.com"}, {"url": "https://github.com/freeswitch/sofia-sip/commit/da53e4fbcb138b080a75576dd49c1fff2ada2764", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.debian.org/security/2023/dsa-5410", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-120"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification. In affected versions Sofia-SIP **lacks both message length and attributes length checks** when it handles STUN packets, leading to controllable heap-over-flow. For example, in stun_parse_attribute(), after we get the attribute's type and length value, the length will be used directly to copy from the heap, regardless of the message's left size. Since network users control the overflowed length, and the data is written to heap chunks later, attackers may achieve remote code execution by heap grooming or other exploitation methods. The bug was introduced 16 years ago in sofia-sip 1.12.4 (plus some patches through 12/21/2006) to in tree libs with git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@3774 d0543943-73ff-0310-b7d9-9358b9ac24b2. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Sofia-SIP es una librer\u00eda SIP User-Agent de c\u00f3digo abierto que cumple con la especificaci\u00f3n IETF RFC3261. En las versiones afectadas, Sofia-SIP **carece de comprobaciones de la longitud del mensaje y de la longitud de los atributos** cuando maneja paquetes STUN, lo que provoca un desbordamiento controlable del almacenamiento din\u00e1mico. Por ejemplo, en stun_parse_attribute(), despu\u00e9s de obtener el tipo y el valor de longitud del atributo, la longitud se usar\u00e1 directamente para copiar desde el heap, independientemente del tama\u00f1o izquierdo del mensaje. Dado que los usuarios de la red controlan la longitud desbordada y los datos se escriben en fragmentos de heap m\u00e1s tarde, los atacantes pueden lograr la ejecuci\u00f3n remota de c\u00f3digo mediante la preparaci\u00f3n del heap u otros m\u00e9todos de explotaci\u00f3n. El error se introdujo hace 16 a\u00f1os en sofia-sip 1.12.4 (m\u00e1s algunos parches hasta el 21/12/2006) en las librer\u00edas del \u00e1rbol con git-svn-id: http://svn.freeswitch.org/svn/freeswitch/ tronco@3774 d0543943-73ff-0310-b7d9-9358b9ac24b2. Se recomienda a los usuarios que actualicen. No se conocen soluciones para esta vulnerabilidad."}], "lastModified": "2024-11-21T07:45:20.117", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:signalwire:sofia-sip:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0DF9E38A-C29D-4A98-82E7-5CAF18A94054", "versionEndExcluding": "1.13.11"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}