FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID. When an SDP is offered with any ICE candidates with an unknown component ID, FreeSWITCH will make an out of bounds write to its arrays. By abusing this vulnerability, an attacker is able to corrupt FreeSWITCH memory leading to an undefined behavior of the system or a crash of it. Version 1.10.10 contains a patch for this issue.
References
Link | Resource |
---|---|
https://github.com/signalwire/freeswitch/releases/tag/v1.10.10 | Release Notes |
https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-09-15T19:32:19.207Z
Updated: 2023-09-15T19:32:19.207Z
Reserved: 2023-08-08T13:46:25.242Z
Link: CVE-2023-40018
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-09-15T20:15:09.447
Modified: 2023-09-21T15:05:34.567
Link: CVE-2023-40018
JSON object: View
Redhat Information
No data.
CWE