FreeSWITCH susceptible to Denial of Service via DTLS Hello packets during call initiation
CVE-2023-51443

7.5HIGH

Key Information:

Vendor: Signalwire
Status: Freeswitch
Vendor: CVE Published:; 27 December 2023

What is CVE-2023-51443?

FreeSWITCH, a software-defined telecom stack by SignalWire, faces a Denial of Service vulnerability due to a race condition during the DTLS handshake phase. Attackers can exploit this issue by sending malformed ClientHello messages that lead to session termination. This results in a denial of new DTLS-SRTP encrypted calls, potentially causing significant service disruption. To mitigate this vulnerability, it is essential to upgrade to FreeSWITCH version 1.10.11, which implements measures to reject unvalidated packets.

Affected Version(s)

freeswitch < 1.10.11

References

https://github.com/signalwire/freeswitch/security/advisor...

x_refsource_CONFIRM

https://github.com/signalwire/freeswitch/commit/86cbda90b...

x_refsource_MISC

http://packetstormsecurity.com/files/176393/FreeSWITCH-De...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 27, 2023
Vulnerability Reserved
Dec 19, 2023

CVE-2023-51443 Data

JSON

Signalwire

What is CVE-2023-51443?

Affected Version(s)

References

CVSS V3.1

Timeline