Critical Remote Hacking Flaws Leaked in Linphone and MicroSIP Softphones


Multiple security vulnerabilities have been disclosed in Linphone and MicroSIP softphone software which could be exploited by an unauthenticated remote adversary to crash the client and even extract sensitive information such as password hashes by simply performing a malicious call.

The vulnerabilities, which were discovered by Moritz Abrell of German penetration testing company SySS GmbH, have since been patched by the respective manufacturers following responsible disclosure.

Softphones are basically softphones that mimic desk phones and allow you to make phone calls over the Internet without the need for dedicated hardware. At the heart of the problem are the SIP services offered by customers to connect two peers to facilitate telephony services in mobile IP networks.

Automatic GitHub backups

SIP aka Session Initiation Protocol is a signaling protocol used to control interactive communication sessions, such as voice, video, chat and instant messaging, as well as games and virtual reality, between endpoints, by more to define rules that govern the establishment and termination of each session.

A typical session in SIP begins with a user agent (aka endpoint) sending an INVITE message to a peer through SIP proxies – which are used to route requests – which when accepted at the other end by the recipient, cause the call to the initiator. notified, followed by actual data flow. SIP invitations have session parameters that allow participants to agree on a set of compatible media types.

Linphone and MicroSIP softphones

The attack designed by SySS is what is called a SIP Digest leak, which involves sending a SIP INVITE message to the target softphone to negotiate a session, followed by sending an HTTP response status code “Authentication proxy 407 required, “indicating that the request could not be completed due to a lack of valid credentials, prompting the softphone to respond with the necessary credentials.

Linphone and MicroSIP softphones

“With this information, the attacker is able to perform an offline password guessing attack and, if the guessing attack is successful, get the clear password of the targeted SIP account,” said Abrell explained. “Therefore, this vulnerability associated with weak passwords is a significant security issue.”

Corporate password management

A null pointer dereference vulnerability in Linphone’s SIP stack has also been discovered. It could be triggered by an unauthenticated remote attacker by sending a specially crafted SIP INVITE request which could crash the softphone. “A missing tag parameter in the From header causes Linphone’s SIP stack to crash,” said Abrell.

This is the second time that a NULL pointer dereference vulnerability has been discovered in the Linphone SIP client. In September 2021, Claroty made public the details of a zero click flaw in the protocol stack (CVE-2021-33056) that could be exploited remotely without any action from a victim to crash the SIP client. and cause a denial of service (DoS).

“The level of security of SIP stacks needs to be further improved,” said Abrell, calling for the need for a defense-in-depth approach that involves “defining and implementing appropriate security measures for the secure operation of unified communication systems “.

Source link

Leave A Reply

Your email address will not be published.