[SA-0004][SS-4359] Security Issue Affecting all SER installations Sip Header Injection
Phillip Ma
started a topic
about 4 years ago
Dear valued Sippy Customer,
A security vulnerability was reported in a third party module used in our Softswitch. SER is used to handle SIP signalling and has been fixed by their maintainers. This Fix is now incorporated in all our production versions. This security vulnerability leave Switch Operators vulnerable to SIP header injection attacks. In their worst case scenarios the vulnerability could allow for toll fraud, caller-id spoofing and authentication bypass. Additional details can be found here:
We have made a corrective security patch is now available for all our production versions from 5.0 up to Sippy 2020. Users currently operating OpenSIPS in Sippy v5.2 will not be affected by this issue. This updated patch has been tested with Sippy Softswitch and approved for deployment since November 4th 2020.
This issue has been posted to the Common Vulnerabilities and Exposures List and has been assigned the CVE number CVE-2020-28361.
Vulnerability Impact and types
To review how this security vulnerability impacts you.
Confidentiality Impact
No impact. Customer data is not accessed as part of this vulnerability.
Integrity Impact
Moderate. SIP headers can be adjusted to manipulate some of the fields impacting CDR data and billing records.
Availability Impact
No impact. Customers Systems should remain up and available to serve additional traffic
Gained Access
Low. Call Authentication systems could be bypassed allowing traffic that would ordinarily be blocked.
Update to the latest version of Sippy Softswitch v5.0 Plan upgrade to Sippy Softswitch 5.2 and enable OpenSIPS
Sippy Softswitch
v5.1
SER
Update to the latest version of Sippy Softswitch v5.1 Or Update to the latest Version of Sippy Softswitch v5.2 and enable OpenSIPS
Sippy Softswitch
v5.2
SER
Switch Signaling to OpenSIPS
Sippy Softswitch
v5.2
OpenSIPS
No action needed.
Sippy Softswitch
2020
OpenSIPS
No action needed.
Next steps
Customers on Flex Licenses and Active Support agreements will be eligible for the patch and will be performed on a priority basis. Customers on Sippy Softswitch v4.5 or do not currently have a support agreement are directed to contact [email protected] for further instructions.
Phillip Ma
Dear valued Sippy Customer,
A security vulnerability was reported in a third party module used in our Softswitch. SER is used to handle SIP signalling and has been fixed by their maintainers. This Fix is now incorporated in all our production versions. This security vulnerability leave Switch Operators vulnerable to SIP header injection attacks. In their worst case scenarios the vulnerability could allow for toll fraud, caller-id spoofing and authentication bypass. Additional details can be found here:
We have made a corrective security patch is now available for all our production versions from 5.0 up to Sippy 2020. Users currently operating OpenSIPS in Sippy v5.2 will not be affected by this issue. This updated patch has been tested with Sippy Softswitch and approved for deployment since November 4th 2020.
This issue has been posted to the Common Vulnerabilities and Exposures List and has been assigned the CVE number CVE-2020-28361.
Vulnerability Impact and types
To review how this security vulnerability impacts you.
Affected Versions and Resolution Plan
Plan upgrade to Sippy Softswitch 5.2 and enable OpenSIPS
Update to the latest Version of Sippy Softswitch v5.2 and enable OpenSIPS
Next steps
Customers on Flex Licenses and Active Support agreements will be eligible for the patch and will be performed on a priority basis. Customers on Sippy Softswitch v4.5 or do not currently have a support agreement are directed to contact [email protected] for further instructions.
Sincerely,
Phillip Ma
Product Manager
Sippy Software.
2 people like this