CVE-2021-32611
📋 TL;DR
This vulnerability is a NULL pointer dereference in eXosip2's eXcall_api.c that can be triggered by processing certain 3xx redirect responses. It affects systems using eXosip2 for SIP communication, potentially causing denial of service or remote code execution. Any application or device using vulnerable eXosip2 versions is affected.
💻 Affected Systems
- eXosip2
- Applications using eXosip2 library
📦 What is this software?
Exosip2 by Antisip
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise if combined with other vulnerabilities or memory corruption techniques.
Likely Case
Denial of service causing SIP service crashes and disruption of voice/video communications.
If Mitigated
Service interruption requiring restart, but no data compromise if proper segmentation exists.
🎯 Exploit Status
Exploitation requires sending specially crafted 3xx redirect responses to vulnerable SIP endpoints. No authentication needed as SIP redirects are part of normal protocol flow.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit f2ed389fe84613512cc560127883e51e6cf8c054 and later
Vendor Advisory: http://git.savannah.nongnu.org/cgit/exosip.git/commit/?id=f2ed389fe84613512cc560127883e51e6cf8c054
Restart Required: Yes
Instructions:
1. Update eXosip2 to version after commit f2ed389fe84613512cc560127883e51e6cf8c054. 2. Recompile applications using the library. 3. Restart all services using eXosip2.
🔧 Temporary Workarounds
Filter 3xx Redirects
linuxConfigure network filtering to block or inspect 3xx redirect responses before they reach vulnerable systems.
iptables -A INPUT -p udp --dport 5060 -m string --string "3xx" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 5060 -m string --string "3xx" --algo bm -j DROP
🧯 If You Can't Patch
- Implement network segmentation to isolate SIP services from untrusted networks
- Deploy intrusion prevention systems to detect and block malicious SIP redirect patterns
🔍 How to Verify
Check if Vulnerable:
Check eXosip2 version and compare against vulnerable range. Examine application dependencies for eXosip2 library usage.Check Version:
ldconfig -p | grep exosip2 && strings /path/to/libexosip2.so | grep -i versionVerify Fix Applied:
Verify eXosip2 version is after commit f2ed389fe84613512cc560127883e51e6cf8c054. Test with controlled 3xx redirect responses.📡 Detection & Monitoring
Log Indicators:
- SIP service crashes
- Segmentation fault errors in application logs
- Abnormal termination of SIP processes
Network Indicators:
- Multiple 3xx redirect responses to single SIP endpoint
- Unusual SIP response patterns
SIEM Query:
source="*sip*" AND ("segmentation fault" OR "null pointer" OR "crash")