[kamailio/kamailio] Outdated OpenSIPS Sources in Kamailio Project Lack Security Fixes (CVE-2023-28098) (Issue #3911)
### Description The master branch of the Kamailio project contains unpatched sources from OpenSIPS, in which [CVE-2023-28098](https://github.com/OpenSIPS/opensips/security/advisories/GHSA-jrqg-vppj-hr2h) was reported. The function `parse_param_name()` from `kamailio/src/core/parser/digest/param_parser.c` does not include security patches and updates available in newer versions of OpenSIPS. The fix for CVE can be found in this commit: [OpenSIPS Commit dd9141b6](https://github.com/OpenSIPS/opensips/commit/dd9141b6f67d7df4072f3430f628d4b7...)
### Possible Solutions I strongly recommend updating the sources from OpenSIPS to the latest version available.
### Report Origin The bug is detected by a tool developed at [CAST](https://castech.am/).
Thanks for reporting a potential issue of our project! Just for clarification, Kamailio does not contain code from any other project in this case, I tracked the related code to be dated back to 2002 (when the project had its original name `SER` and the project you named didn't exist). The other project probably inherited from this one when it was forked.
Anyhow, I tried to reproduce with the sample SIP message from the web and I didn't get any crash with Kamailio git master branch, it prints error messages:
``` 3(142428) ERROR: {1 9 REGISTER 83ZZolAa} <core> [core/parser/digest/digest.c:323]: find_credentials(): error while parsing credentials 3(142428) ERROR: {1 9 REGISTER 83ZZolAa} auth [api.c:73]: pre_auth(): Error while looking for credentials 3(142428) DEBUG: {1 9 REGISTER 83ZZolAa} auth_db [authorize.c:261]: digest_authenticate_hdr(): error or bad credentials ```
Then sends back SIP 401 response and continues to work normally. Kamailio was started with MySQL backed and user authentication done with `auth_db` module (like default `kamailio.cfg` with defined `WITH_MYSQL` and `WITH-AUTH`).
Can you provide (here or better via email to miconda@gmail.com) a SIP message related to this issue that causes a crash for Kamailio git master branch?
Thank you for your detailed response and for looking into this issue.
I appreciate you clarifying the origins of the code. Given your explanation, there was a misunderstanding about the source of the code in question.
Unfortunately, I do not have a specific SIP request message that causes a crash on the Kamailio. My report was primarily based on a static analysis tool, which flagged the potential vulnerability due to similarities in the codebase. The issue I reported is based on the presence of code in Kamailio that resembles the vulnerable code from OpenSIPS.
Thank you for your time and for maintaining the security and stability of the Kamailio project.
Thanks for those further details! Closing it as tests cannot reproduce it.
Closed #3911 as completed.
-
Daniel-Constantin Mierla -
Garnik Khroyan