CVE-2021-42555 – CVE-2021-42555 is an input validation vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-42555?

CVE-2021-42555 has a CVSS score of 7.5 (HIGH). CVE-2021-42555 is an input validation vulnerability in Pexip Infinity that allows temporary remote denial of service by causing service abortion during call setup. This affects all Pexip Infinity deployments before version 26.2 that process external call requests.

📋 TL;DR

CVE-2021-42555 is an input validation vulnerability in Pexip Infinity that allows temporary remote denial of service by causing service abortion during call setup. This affects all Pexip Infinity deployments before version 26.2 that process external call requests.

💻 Affected Systems

Products:

Pexip Infinity

Versions: All versions before 26.2

Operating Systems: Linux-based appliance

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments processing SIP/H.323 call setup are vulnerable regardless of configuration.

📦 What is this software?

Infinity by Pexip

View all CVEs affecting Infinity →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can cause complete service disruption for all video conferencing calls, rendering the Pexip Infinity platform temporarily unavailable for all users.

🟠

Likely Case

Targeted DoS attacks against specific conferences or meeting rooms, causing temporary disruption to business communications.

🟢

If Mitigated

With proper network segmentation and rate limiting, impact is limited to isolated service components with automatic recovery.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malformed call setup packets but no authentication or special privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 26.2 or later

Vendor Advisory: https://docs.pexip.com/admin/security_bulletins.htm

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Download Pexip Infinity 26.2 or later from Pexip support portal. 3. Apply update via management interface. 4. Restart services as prompted.

🔧 Temporary Workarounds

Network segmentation and filtering

all

Restrict access to call setup ports (5060-5061 TCP/UDP for SIP, 1720 TCP for H.323) to trusted sources only.

Rate limiting

all

Implement rate limiting on SIP/H.323 ports to prevent rapid exploitation attempts.

🧯 If You Can't Patch

Implement strict network ACLs allowing only trusted endpoints to connect to call setup ports
Deploy intrusion prevention systems with signatures for malformed SIP/H.323 packets

🔍 How to Verify

Check if Vulnerable:

Check Pexip Infinity version via management interface: Settings > System > About. If version is below 26.2, system is vulnerable.

Check Version:

ssh admin@pexip-host 'pexip --version'

Verify Fix Applied:

After patching, verify version is 26.2 or higher and test call setup functionality with legitimate clients.

📡 Detection & Monitoring

Log Indicators:

Abnormal call setup failures
Service restart logs
High rate of malformed SIP/H.323 packets in system logs

Network Indicators:

Unusual traffic patterns on SIP/H.323 ports
Rapid connection attempts from single sources
Malformed protocol packets

SIEM Query:

source="pexip" AND ("abort" OR "restart" OR "call setup failed")

📊 Metadata

CVE ID: CVE-2021-42555

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-20

Published: January 15, 2022

Last Updated: November 21, 2024

🔗 References

https://docs.pexip.com/admin/security_bulletins.htm Vendor Advisory
https://docs.pexip.com/admin/security_bulletins.htm Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42555, you might also want to check these: