Claroty’s Team82 has detected a NULL pointer dereference vulnerability in the Belledonne Communications’ Linphone SIP Protocol Stack. The belle-sip library used to implement various SIP layers, and belle-sip versions through 4.5.20 are affected as used in Linphone and other SIP-based products, including IoT firmware and VoIP (voice-over IP) mobile applications.
The NULL pointer dereference vulnerability was fixed in v4.5.20 of the SIP protocol stack, and users should ensure their devices, applications, and development environments are running updated versions of the stack, Claroty said.
The SIP protocol lies at the core of many VoIP applications, as it facilitates real-time messaging over voice, video, or text between IP-based endpoints, Sharon Brizinov, a Claroty researcher wrote in a blog post. This prompted Team82 to examine the security of the Linphone SIP client suite, the initial open-source application to use SIP on Linux. While VoIP services are free and convenient for users, any compromise of such a service can give an attacker a foothold onto a corporate network and possibly the IoT/OT (operational technology) network.
Successful exploits targeting IoT vulnerabilities have demonstrated they can provide an effective foothold onto enterprise networks. A flaw in a foundational protocol such as the SIP stack in VoIP phones and applications can be especially troublesome given the scale and reach shown by attacks against numerous other third-party components used by developers in software projects.
“During our work we discovered that a simple, misplaced slash in an invalid SIP message header could trigger a dereference vulnerability in the belle-sip C library used to implement SIP transport, transaction, and dialog layers,” Brizinov said. “This is a unique zero-click vulnerability that may be remotely exploitable, and could affect any device running a vulnerable version of belle-sip library and crash the VoIP client.”
Team82, Claroty’s research arm that investigates industrial software, networks, and protocols for vulnerabilities and works in a coordinated manner with vendors to get flaws addressed before hackers exposed them, found the null pointer dereference vulnerability in the Linphone belle-sip component.
“Belle-sip is a C library with an object-oriented API used to implement SIP transport, transaction, and dialog layers; there’s also a HTTP/HTTPS client implementation,” according to Brizinov. “The vulnerability is remotely exploitable, requiring no action from the victim. This is a dangerous zero-click attack requiring only an invalid SIP message header to be sent that would crash the client and create a denial-of-service condition.”
All belle-sip versions before v 4.5.20 in Linphone and likely other similar products are affected. The vulnerability was fixed in v4.5.20 of the SIP protocol stack, Brizinov said. As with most third-party components, patching the core protocol stack is the right first step, but those updates must be applied downstream as well by vendors using the affected SIP stack in their respective products. Linphone’s website, for example, cites close to 30 reference customers, including vendors such as BT, Acer, and Swisscom, all of whom develop VoIP applications with Linphone at their core, he added.
Linphone is a free voice-over IP softphone, SIP client, and service, which may be used for audio and video direct calls and calls through any VoIP softswitch or IP-PBX. Under the hood, Linphone uses the belle-sip component for handling low-level SIP message parsing. Linphone’s website states it has globally has over 200 corporate customers in various sectors, including telecommunications, secure communications, social networking, home automation, telepresence, and IoT.
“The underlying bug here is that non-SIP URIs are accepted as valid SIP header values. Therefore, a generic URI such as a simple single forward slash (/), will be considered a SIP URI,” according to Brizinov. “This means that the given URI will not contain a valid SIP scheme (scheme will be NULL), and so when the compare function is called with the non-existent scheme (NULL), a null pointer dereference will be triggered and crash the SIP client. In other words, a simple INVITE packet such as this will crash the SIP client application because of a NULL pointer dereference,” he added.
Given the malicious header value </, the generic_uri is called to parse a given header value which should be a valid URI. Since the URI is / it will pass all checks and a generic URI will be created. Since a forward slash is considered a valid path segment, no errors will be raised, Brizinov pointed out in the post.
Next, a scheme will be extracted from the parsed URI. Since there is no scheme, a NULL pointer will be returned. The returned pointer is not checked. Finally, ‘strcasecmp’ will get called with a NULL pointer and ‘sip’ as arguments. The first parameter will be dereferenced, and a segmentation fault will occur, he added.
Every SIP client in a SIP network is listening for INVITE requests from other clients. Once an INVITE message is received, the SIP client will parse the message and respond accordingly. Therefore, it is possible to exploit this vulnerability without user interaction (zero-click), Brizinov wrote.
All that is needed to exploit this remotely is to send to any SIP client in the network an INVITE SIP request with a specifically crafted From/To/Diversion header that will trigger the NULL pointer dereference vulnerability. Any application that uses belle-sip under the hood to parse SIP messages is vulnerable and will crash upon receiving a malicious SIP ‘call,’ he added.