Open Source Media Stack and PJSIP SIP Have Critical Bugs
Table of Contents
- By David Lukic
- Published: Mar 04, 2022
- Last Updated: Mar 18, 2022
Digital security specialists are reporting several critical bugs within open-source multimedia known as PJSIP. At the moment, nearly half a dozen such security vulnerabilities have been identified. Below, we provide a look at those flaws and delve into how digital security specialists are addressing them.
Why are the Critical Bugs Such a Problem?
The critical bugs noted above are an issue as they open the door for digital attackers to abuse targets, spurring the execution of arbitrary code and DoS attacks within applications that rely on the protocol stack for functionality. DoS is short for denial-of-service.
Who Identified the Critical Bugs?
The flaws in questions were pinpointed and reported by digital security professionals at JFrog. The company’s Security Research team highlighted the critical bugs earlier this week after the maintainers of the project issued patches.
What is PJSIP all about?
PJSIP is best described as an embedded suite with SIP protocols that is open source, meaning users can modify it for improvement. PJSIP is written within C, providing support for video, audio, and instant messages for digital platforms used for communication such as WhatsApp. PJSIp is also used within Asterisk, a private branch exchange system used in VoIP networks.
Sauw Ming, a developer with PJSIP, recently noted that PJSIP buffers typically have a capped size, especially when used in a stack or provided through an application. Yet, the group does not check to see if the usage moves beyond the cap. In other words, there is the potential for buffer overflows to occur.
What are the Flaws in Question?
Let’s shift our attention to the specific flaws with PJSIP. Those flaws are listed below:
• CVE-2021-43302 (CVSS score: 5.9) – Read out-of-bounds in PJSUA API when calling pjsua_recorder_create()
• CVE-2021-43303 (CVSS score: 5.9) – Buffer overflow in PJSUA API when calling pjsua_call_dump()
• CVE-2021-43299 (CVSS score: 8.1) – Stack overflow in PJSUA API when calling pjsua_player_create()
• CVE-2021-43300 (CVSS score: 8.1) – Stack overflow in PJSUA API when calling pjsua_recorder_create()
• CVE-2021-43301 (CVSS score: 8.1) – Stack overflow in PJSUA API when calling pjsua_playlist_create()
If one of the flaws noted above is exploited, a nefarious actor might have the opportunity to shift arguments to the susceptible APIs, spurring code execution along with a DoS attack, as noted above. The arbitrary code execution occurs within applications that rely on the PJSIP library.
How are the Critical Bugs Remedied?
The JFrog Security crew proactively disclosed the vulnerabilities. A patch has been made available, dubbed “commit d979253,” yet JFrog Security is uncertain as to whether it will prove effective across the long haul. Workarounds are also available for the applications to gauge parameter length, meaning the buffer and file names prior to calling the APIs.
In summary, JFrog Security is working hard to verify the best strategy to fix the critical bugs noted above. However, at the moment, it is unclear if a lasting digital security solution will be identified.