Vulnerability CVE-2021-41145: Information

Description

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. FreeSWITCH prior to version 1.10.7 is susceptible to Denial of Service via SIP flooding. When flooding FreeSWITCH with SIP messages, it was observed that after a number of seconds the process was killed by the operating system due to memory exhaustion. By abusing this vulnerability, an attacker is able to crash any FreeSWITCH instance by flooding it with SIP messages, leading to Denial of Service. The attack does not require authentication and can be carried out over UDP, TCP or TLS. This issue was patched in version 1.10.7.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-41145
Published: Oct. 26, 2021
Modified: Aug. 12, 2022
Error type identifier: CWE-401

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
freeswitchsisyphus1.10.7-alt11.10.11-alt1ALT-PU-2021-3374-1290602Fixed
freeswitchsisyphus_e2k1.10.7-alt11.10.11-alt1ALT-PU-2021-4475-1-Fixed
freeswitchp101.10.7-alt11.10.11-alt1ALT-PU-2021-3448-1290606Fixed
freeswitchc10f11.10.7-alt11.10.10-alt1ALT-PU-2021-3448-1290606Fixed
freeswitchc9f21.10.10-alt11.10.10-alt1ALT-PU-2023-5726-4329877Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/signalwire/freeswitch/security/advisories/GHSA-jvpq-23v4-gp3m
  • Exploit
  • Third Party Advisory
https://github.com/signalwire/freeswitch/releases/tag/v1.10.7
  • Release Notes
  • Third Party Advisory

    1. Configuration 1

      cpe:2.3:a:freeswitch:freeswitch:*:*:*:*:*:*:*:*
      End excliding
      1.10.7
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.4.2
Back to top