Last Updated on 04/03/2022 by Nidhi Khandelwal
communication library has five security flaws that could be exploited by an attacker to cause arbitrary code execution and denial-of-service (DoS) in programs that use the protocol stack.
JFrog’s Security Research team discovered and reported the flaws, and the project’s maintainers released patches (version 2.12) last week on February 24, 2022.
PJSIP is an open-source embedded SIP protocol suite written in C for popular communication platforms like WhatsApp and BlueJeans. It supports audio, video, and instant messaging features. Asterisk, a popular private branch exchange (PBX) switching technology for VoIP networks, also uses it.
“Buffers used in PJSIP typically have limited sizes, especially those allocated in the stack or supplied by the application,” PJSIP developer Sauw Ming wrote in a GitHub advisory last month, “but in several places, we do not check if our usage can exceed the sizes,” a scenario that could lead to buffer overflows.
According to Uriya Yavnieli, a JFrog researcher who identified the issues, successful exploitation of the aforementioned flaws might allow a malicious actor to deliver attacker-controlled arguments to any of the vulnerable APIs, resulting in code execution and a DoS condition
