FreeSWITCH susceptible to Denial of Service via SIP flooding
CVE-2021-41145

8.6HIGH

Key Information:

Vendor: Signalwire
Status: Freeswitch
Vendor: CVE Published:; 25 October 2021

What is CVE-2021-41145?

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. FreeSWITCH prior to version 1.10.7 is susceptible to Denial of Service via SIP flooding. When flooding FreeSWITCH with SIP messages, it was observed that after a number of seconds the process was killed by the operating system due to memory exhaustion. By abusing this vulnerability, an attacker is able to crash any FreeSWITCH instance by flooding it with SIP messages, leading to Denial of Service. The attack does not require authentication and can be carried out over UDP, TCP or TLS. This issue was patched in version 1.10.7.

Affected Version(s)

freeswitch < 1.10.7

References

https://github.com/signalwire/freeswitch/releases/tag/v1....

x_refsource_MISC

https://github.com/signalwire/freeswitch/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 25, 2021
Vulnerability Reserved
Sep 15, 2021

CVE-2021-41145 Data

JSON

Signalwire

What is CVE-2021-41145?

Affected Version(s)

References

CVSS V3.1

Timeline