Summary
FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID
Description
When an SDP is offered with any ICE candidates with an unknown component ID, FreeSWITCH will make an out of bounds write to its arrays.
Impact
By abusing this vulnerability, an attacker is able to corrupt FreeSWITCH memory leading to an undefined behavior of the system or a crash of it.
How to reproduce the issue
Any of these ICE candidates will cause out of bound write. Note 0, x and 100:
"a=candidate:4010986621 0 udp 41819903 192.168.0.1 21280 typ relay raddr 192.168.1.1 rport 11556 generation 0 network-id 1 network-cost 10\n"
"a=candidate:4010986621 x udp 41819903 192.168.0.1 21280 typ relay raddr 192.168.1.1 rport 11556 generation 0 network-id 1 network-cost 10\n"
"a=candidate:4010986621 100 udp 41819903 192.168.0.1 21280 typ relay raddr 192.168.1.1 rport 11556 generation 0 network-id 1 network-cost 10\n"
Solution and recommendations
Update to FreeSWITCH version >= 1.10.10
Credit: SignalWire Inc.
andywolk Reporter
Summary
FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID
Description
When an SDP is offered with any ICE candidates with an unknown component ID, FreeSWITCH will make an out of bounds write to its arrays.
Impact
By abusing this vulnerability, an attacker is able to corrupt FreeSWITCH memory leading to an undefined behavior of the system or a crash of it.
How to reproduce the issue
Any of these ICE candidates will cause out of bound write. Note
0,xand100:Solution and recommendations
Update to FreeSWITCH version >= 1.10.10
Credit: SignalWire Inc.