Five Vulnerabilities Discovered in PJSIP Library This Week
PJSIP, an open-source library, is one of the most used libraries used by WhatsApp and many other VoIP applications. Recently, critical RCE bugs were detected from the PJSIP open source library.
This week, PJSIP discovered five critical security vulnerabilities that threat actors can exploit for arbitrary code execution and DoS attacks using the protocol stack in the implementation.
Among these five bugs, three of the vulnerabilities are related to stack overflow errors, which scored 8.1 critical level on the CVSS scale. The other two remaining bugs in the PJSUA API are related to the out-of-buffer read vulnerability and the buffer overflow vulnerability, a criticality level of 5.9 on the CVSS scale.
How Do Vulnerabilities Affect?
PJSIP is an open-source library that supports the C-based and SIP protocol that supports features such as instant messaging, video, audio for popular communication platforms such as WhatsApp and BlueJeans.
At the same time, PJSIP can be used in Asterisk, widely used for VoIP networks.
The vulnerabilities in PJSIP are known as buffer overflow, stack overflow, and out-of-bounds read vulnerabilities.
Vulnerabilities discovered in the PJSUA API;
- CVE-2021-43299 (RCE): It’s a stack overflow in PJSUA API when calling pjsua_player_create and has a CVSS score of 8.1.
- CVE-2021-43300 (RCE): It’s a stack overflow in PJSUA API when calling pjsua_recorder_create and has a CVSS score of 8.1.
- CVE-2021-43301 (RCE): It’s a stack overflow in PJSUA API when calling pjsua_playlist_create and has a CVSS score of 8.1.
- CVE-2021-43302 (DDoS): It’s a read out-of-bounds in PJSUA API when calling pjsua_recorder_create and has a CVSS score of 5.9.
- CVE-2021-43303 (DDoS): It’s a buffer overflow in PJSUA API when calling pjsua_call_dump and has a CVSS score of 5.9.
Cyber threat actors can send malicious parameters to any of the vulnerable APIs, execute code, and perform DoS attacks by successfully exploiting these vulnerabilities.
How to Fix Vulnerabilities?
To fix the vulnerabilities discovered in the PJSIP library and be slightly affected by the vulnerabilities, you need to update and upgrade to the latest version.
These vulnerabilities affect all projects using version 2.12 or the older PJSIP library. While instant messaging apps like Skype, WhatsApp, and Google Hangouts have made it easy for anyone from anywhere in the world to interact face-to-face, these security flaws illustrate the exact scenario of these apps.
PJSIP is a multimedia communication library used by the Asterisk enterprise-class open source PBX toolkit. It is used primarily to provide voice over IP (VoIP) services.
With SOCRadar® Free Edition, you’ll be able to:
- Discover your unknown hacker-exposed assets
- Check if your IP addresses tagged as malicious
- Monitor your domain name on hacked websites and phishing databases
- Get notified when a critical zero-day vulnerability is disclosed
Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets.
Get free access