Authentication and denial of service risks for DIY PBX tech patched

UPDATED Security researchers have gone public about a set of five vulnerabilities in telecoms stack software FreeSwitch.

The quintet of flaws – all discovered by a team from German telecoms security consultancy Enable Security – lead to denial of service, authentication problems and information leakage for systems running FreeSwich.

FreeSwitch is an open source, software-defined telecoms stack that allows multi-purpose devices, ranging from a Raspberry-Pi to multi-core servers, to act as telecoms switches.

Enable Security worked with developers so that all five flaws were fixed with FreeSwitch 1.10.7, released on October 25.

Hanging on the telephone

The various flaws involve services related to providing WebRTC (Web Real-Time Communication), a technology that allows audio and video communication within web pages without the need to install plugins, as well as Session Initiation Protocol (SIP), a signalling and control protocol used in IP telephony and elsewhere.

The first vulnerability (tracked as CVE-2021-41105, with a CVSS Score of 7.5) makes it possible for an attacker to disconnect any ongoing calls by flooding a FreeSwitch installation with invalid SRTP (Secure Real-time Transport Protocol) packets.


YOU MAY ALSO LIKE Video conferencing platforms must improve privacy for users, data authorities warn


No authentication is required to trigger this denial of service, which works by preventing a FreeSwitch install from unpacking encrypted data and authentication traffic packed up using SRTP.

Another high-severity flaw (CVE-2021-41145, CVSS score 8.6) leaves FreeSwitch at risk of denial of service through SIP flooding. Memory on a device can be exhausted if an attack targets a switch with enough junk SIP messages.

As with the previous flaw, no authentication is required.

A third high severity vulnerability (CVE-2021-37624) stemmed from shortcomings in how FreeSwitch authenticated SIP message requests.

By default, SIP ‘MESSAGE’ requests are not authenticated in the affected versions of FreeSwitch – opening the door to spam and message spoofing.

Hotline leaks

A lesser, moderate severity flaw (CVE-2021-41158) means that miscreants can carry out a SIP digest leak attack against FreeSwitch and receive the challenge response of a gateway configured on the FreeSwitch server. This leaked data might be used to determine a gateway password.

Lastly, a failure of previous versions of FreeSwitch to authenticate SIP ‘SUBSCRIBE’ requests, which are used to subscribe to user agent event notifications, created a moderate privacy risk.

Businesses running the affected software should patch their systems or risk being compromised.

In a technical blog post, Enable Security explains these various vulnerabilities in more depth. Each of the vulnerabilities is of varying impact.

Sandro Gauci, the researcher who led the team at Enable Security which carried out the research, told The Daily Swig: "Each vulnerability has a different impact. The worst one is the DoS due to SIP flood since in RTC downtime is a huge deal."

Estimates of how many systems might be vulnerable are tricky to come by but what's clear is that thousands of systems are at risk.

Gauci, the self-styled chief mischief maker at Enable Security, said: "[It's] hard for me to say how many are affected. Shodan shows > 12k FreeSwitch servers listening on port 5060. There will be more with a custom User-Agent header. And various systems will be internal / not responding to Shodan / hiding behind an SIP router / SBC etc."

Gauci concluded by expressing that hope that Enable's work might inspire other researchers to look into the security of WebRTC and IP telephony systems.

"We've been advocating for more security research / testing in the area because many security professionals seem to ignore the topic," Gauci said, adding that the "FreeSwitch developers were very receptive and we were happy to work with them on these issues".


This story was updated to add comment from Enable Security


DON’T FORGET TO READ ‘Professional cybercriminals’ blamed for DDoS attacks against UK telecoms providers