[SA-0004][SS-4359] Security Issue Affecting all SER installations Sip Header Injection

Dear valued Sippy Customer,


A security vulnerability was reported in a third party module used in our Softswitch.  SER is used to handle SIP signalling and has been fixed by their maintainers.  This Fix is now incorporated in all our production versions.  This security vulnerability leave Switch Operators vulnerable to SIP header injection attacks.  In their worst case scenarios the vulnerability could allow for toll fraud, caller-id spoofing and authentication bypass.  Additional details can be found here


We have made a corrective security patch is now available for all our production versions from 5.0 up to Sippy 2020.  Users currently operating OpenSIPS in Sippy v5.2 will not be affected by this issue.  This updated patch has been tested with Sippy Softswitch and approved for deployment since November 4th 2020.


This issue has been posted to the Common Vulnerabilities and Exposures List and has been assigned the CVE number CVE-2020-28361.  


Vulnerability Impact and types


To review how this security vulnerability impacts you.


Confidentiality ImpactNo impact.  Customer data is not accessed as part of this vulnerability.
Integrity ImpactModerate.  SIP headers can be adjusted to manipulate some of the fields impacting CDR data and billing records.
Availability ImpactNo impact.  Customers Systems should remain up and available to serve additional traffic
Gained AccessLow.  Call Authentication systems could be bypassed allowing traffic that would ordinarily be blocked.
Vulnerability TypeSip Header Injection


Affected Versions and Resolution Plan


ProductVersionSignaling PackageResolution Action
Sippy Softswitchv4.5 and earlierSERContact [email protected]
Sippy Softswitchv5.0SERUpdate to the latest version of Sippy Softswitch v5.0
Plan upgrade to Sippy Softswitch 5.2 and enable OpenSIPS
Sippy Softswitch
v5.1SERUpdate to the latest version of Sippy Softswitch v5.1 Or
Update to the latest Version of Sippy Softswitch v5.2 and enable OpenSIPS
Sippy Softswitchv5.2SERSwitch Signaling to OpenSIPS
Sippy Softswitchv5.2OpenSIPSNo action needed.
Sippy Softswitch2020OpenSIPSNo action needed.


Next steps

Customers on Flex Licenses and Active Support agreements will be eligible for the patch and will be performed on a priority basis.  Customers on Sippy Softswitch v4.5 or do not currently have a support agreement are directed to contact [email protected] for further instructions.


Sincerely,


Phillip Ma

Product Manager

Sippy Software.


2 people like this
Login or Signup to post a comment