Hi all -
We just posted about the OpenSIPS security audit report and actually commented
about this topic:
https://www.rtcsec.com/post/2023/03/opensips-security-audit-report/#do-any-of-these-vulnerabilities-affect-kamailio-too
Here is what I wrote:
As of yet, we do not have a definitive answer. My initial impression, based on
a spot check done some time ago, was that the issues did not appear applicable
to the newest versions of Kamailio. But we are starting to take a second look
and our opinion is actually changing. We plan to delve deeper into this topic,
report to the Kamailio developers if anything is found and then publish a
future blog post about it.
Regards,
--
Sandro Gauci, CEO at Enable Security GmbH
Register of Companies: AG Charlottenburg HRB 173016 B
Company HQ: Neuburger Straße 101 b, 94036 Passau,
Germany
RTCSec Newsletter: https://www.rtcsec.com/subscribe
Our blog: https://www.rtcsec.com
Other points of contact: https://www.enablesecurity.com/contact/
On Wed, 15 Mar 2023, at 10:17 PM, Dovid Bender wrote:
> Fred,
>
> OK. I will try to produce myself on an older version of OpenSips and if I
> succeed there I will try on Kamailio and report back.
>
>
>
> On Wed, Mar 15, 2023 at 4:58 PM Fred Posner <[email protected]> wrote:
>> Just to add to what Henning has said… the report is very interesting. I did
>> spot check a few of the examples, as Sandro excellently documented how to
>> reproduce.
>>
>> The reproduction (such as what you posted with param_parser did not produce
>> the same crash as reported. If you can reproduce something here, please let
>> us know (issue would be best) so it can be handled and documented.
>>
>> Thanks,
>>
>> —fred
>>
>> > On Mar 15, 2023, at 3:56 PM, Henning Westerholt <[email protected]> wrote:
>> >
>> > Hello,
>> > thanks for sharing this. What was done in the security audit from them is
>> > something that was done from many people already done in the past for the
>> > Kamailio project. Several people presented about it at different
>> > conferences.
>> > Many modules are also not similar due to the different ways both projects
>> > took (e.g., some modules are only present for one of the projects,
>> > Kamailio integrated many changes from the SER projects etc..).
>> > That said, its probably still make sense to review the applicable parts
>> > and make sure that it does not affect the current code.
>> > Cheers,
>> > Henning
>> > -- Henning Westerholt – https://skalatan.de/blog/
>> > Kamailio services – https://gilawa.com
>> > From: Dovid Bender <[email protected]>
>> > Sent: Mittwoch, 15. März 2023 20:20
>> > To: Kamailio (SER) - Users Mailing List <[email protected]>
>> > Subject: [SR-Users] Issues/Vulnerabilities in OpenSipS that may affect
>> > Kamailio
>> > Hi All,
>> > OpenSipS just released an update to the audit that was done to OpenSips
>> > [1]. From my basic coding skills it seems like the changes that were done
>> > by the OpenSipS project were not implemented in Kamailio which means that
>> > Kamailio is potentially vulnerable? For example you can compare the
>> > changes made by OpenSips project here [2] and the Kamailio code here [3]
>> > I am not active much on the list so please don't roast me if I am
>> > completely wrong here.
>> >
>> > Regards,
>> >
>> > Dovid
>> > [1] http://lists.opensips.org/pipermail/users/2023-March/046849.html
>> > [2]
>> > https://github.com/OpenSIPS/opensips/commit/dd9141b6f67d7df4072f3430f628d4b73df5e102
>> > [3]
>> > https://github.com/kamailio/kamailio/blob/master/src/core/parser/digest/param_parser.c
>> > __________________________________________________________
>> > Kamailio - Users Mailing List - Non Commercial Discussions
>> > To unsubscribe send an email to [email protected]
>> > Important: keep the mailing list in the recipients, do not reply only to
>> > the sender!
>> > Edit mailing list options or unsubscribe:
>>
>>
>> __________________________________________________________
>> Kamailio - Users Mailing List - Non Commercial Discussions
>> To unsubscribe send an email to [email protected]
>> Important: keep the mailing list in the recipients, do not reply only to the
>> sender!
>> Edit mailing list options or unsubscribe:
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
> To unsubscribe send an email to [email protected]
> Important: keep the mailing list in the recipients, do not reply only to the
> sender!
> Edit mailing list options or unsubscribe:
>
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to [email protected]
Important: keep the mailing list in the recipients, do not reply only to the
sender!
Edit mailing list options or unsubscribe:
