17 Mar
2023
17 Mar
'23
3:04 p.m.
Hi all -
We just posted about the OpenSIPS security audit report and actually commented about this
topic:
https://www.rtcsec.com/post/2023/03/opensips-security-audit-report/#do-any-…
Here is what I wrote:
As of yet, we do not have a definitive answer. My initial impression, based on a spot
check done some time ago, was that the issues did not appear applicable to the newest
versions of Kamailio. But we are starting to take a second look and our opinion is
actually changing. We plan to delve deeper into this topic, report to the Kamailio
developers if anything is found and then publish a future blog post about it.
Regards,
--
Sandro Gauci, CEO at Enable Security GmbH
Register of Companies: AG Charlottenburg HRB 173016 B
Company HQ: Neuburger Straße 101 b, 94036 Passau, Germany
RTCSec Newsletter: https://www.rtcsec.com/subscribe
Our blog: https://www.rtcsec.com
Other points of contact: https://www.enablesecurity.com/contact/
On Wed, 15 Mar 2023, at 10:17 PM, Dovid Bender wrote:
Fred,
OK. I will try to produce myself on an older version of OpenSips and if I succeed there I
will try on Kamailio and report back.
On Wed, Mar 15, 2023 at 4:58 PM Fred Posner <fred(a)pgpx.io> wrote:
Just to add to what Henning has said… the report
is very interesting. I did spot check a few of the examples, as Sandro excellently
documented how to reproduce.
The reproduction (such as what you posted with param_parser did not produce the same
crash as reported. If you can reproduce something here, please let us know (issue would be
best) so it can be handled and documented.
Thanks,
—fred
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
On Mar 15, 2023, at 3:56 PM, Henning Westerholt
<hw(a)gilawa.com> wrote:
Hello,
thanks for sharing this. What was done in the security audit from them is something that
was done from many people already done in the past for the Kamailio project. Several
people presented about it at different conferences.
Many modules are also not similar due to the different ways both projects took (e.g.,
some modules are only present for one of the projects, Kamailio integrated many changes
from the SER projects etc..).
That said, its probably still make sense to review the applicable parts and make sure
that it does not affect the current code.
Cheers,
Henning
-- Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
From: Dovid Bender <dovid(a)telecurve.com>
Sent: Mittwoch, 15. März 2023 20:20
To: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org>
Subject: [SR-Users] Issues/Vulnerabilities in OpenSipS that may affect Kamailio
Hi All,
OpenSipS just released an update to the audit that was done to OpenSips [1]. From my
basic coding skills it seems like the changes that were done by the OpenSipS project were
not implemented in Kamailio which means that Kamailio is potentially vulnerable? For
example you can compare the changes made by OpenSips project here [2] and the Kamailio
code here [3]
I am not active much on the list so please don't roast me if I am completely wrong
here.
Regards,
Dovid
[1] http://lists.opensips.org/pipermail/users/2023-March/046849.html
[2] https://github.com/OpenSIPS/opensips/commit/dd9141b6f67d7df4072f3430f628d4b…
[3]
https://github.com/kamailio/kamailio/blob/master/src/core/parser/digest/par…
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe: