CVE-2021-41145— FreeSWITCH susceptible to Denial of Service via SIP flooding

FreeSWITCH susceptible to Denial of Service via SIP flooding

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. FreeSWITCH prior to version 1.10.7 is susceptible to Denial of Service via SIP flooding. When flooding FreeSWITCH with SIP messages, it was observed that after a number of seconds the process was killed by the operating system due to memory exhaustion. By abusing this vulnerability, an attacker is able to crash any FreeSWITCH instance by flooding it with SIP messages, leading to Denial of Service. The attack does not require authentication and can be carried out over UDP, TCP or TLS. This issue was patched in version 1.10.7.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

未加控制的资源消耗(资源穷尽)

FreeSWITCH 资源管理错误漏洞

FreeSWITCH是美国Anthony Minessale个人开发者的研发的一套免费、开源的通信软件。该软件可用于创建音、视频以及短消息类产品和应用。 FreeSWITCH 存在资源管理错误漏洞，该漏洞源于版本1.10.7之前的FreeSWITCH很容易通过SIP洪水拒绝服务。攻击者可利用该漏洞用SIP消息淹没任何freeeswitch实例，从而导致拒绝服务。

N/A

N/A