Overview

Reference: CVE-2018-14767

We strongly advise you to update your Kamailio installation to the latest stable release for security reasons.

All supported releases (5.0. and 5.1) contains an important security fix in the Kamailio core related to the handling of “To” headers.

The issues were fixed before the 5.0.7, and 5.1.4 releases in the respective stable branches. So if you are already running the 5.0.7 or 5.1.4 release then you have already the fixes deployed.

Technical details for the issue

There exists a security vulnerability in the Kamailio SIP server related to “To” header processing. A specially crafted SIP message with double “To” header and an empty “To” tag causes a segmentation fault and crashes Kamailio. The reason is missing input validation in the “build_res_buf_from_sip_req” core function.

If an attacker sends many of this messages this would lead to a Denial of Service of the attacked infrastructure. This is especially critical as no authentication for the remote source is needed.

This vulnerability was found from Henning Westerholt from the Kamailio team as part of his Kamailio SIP fuzzing project.

You find all the details including a proof of concept code in the published security announcement from him: Link

Solutions and recommendations

To prevent this vulnerability you can apply the patch from github or make use of a release that includes that patch (e.g. 5.1.4 or 5.0.7). For older Kamailio version and in case you need more time for an update you can add the following logic on top of to your `request_route` block in your kamailio configuration file. This will drop this malicious message and prevent its processing.

if($(hdr(To)[1]) != $null) {
    xlog("second To header not null - dropping message");
    drop;
}

Remarks

Assigned CVE reference: CVE-2018-14767

The issues were found some months ago and were fixed quickly. The code related to the reported issues is rather old and there are no known incidents of exploiting these issues so far. However, once the CVE report becomes public, there could be a higher risk of exploitation.

Please address any detailed technical questions related to the two bugs to the developer list at sr-dev@lists.kamailio.org.

For questions about the configuration workarounds please contact the user list at sr-users@lists.kamailio.org.

In case of confidential remarks related to this or other security issues, please address them to the Kamailio Management team.