CVE-2022-24793
📋 TL;DR
CVE-2022-24793 is a buffer overflow vulnerability in PJSIP's DNS resolution component affecting versions 2.12 and prior. It allows attackers to execute arbitrary code or cause denial of service by sending malicious DNS responses. Only applications using PJSIP's built-in DNS resolver are affected.
💻 Affected Systems
- PJSIP (pjproject)
- Applications using PJSIP library
📦 What is this software?
Pjsip by Pjsip
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or persistent backdoor installation.
Likely Case
Denial of service causing application crashes or instability in affected PJSIP services.
If Mitigated
No impact if using external DNS resolver or DNS resolution is disabled.
🎯 Exploit Status
Exploitation requires ability to send malicious DNS responses to vulnerable systems, which could be achieved through DNS poisoning or man-in-the-middle attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: master branch commit 9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a and later
Vendor Advisory: https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4
Restart Required: Yes
Instructions:
1. Update to latest PJSIP from master branch. 2. Recompile and reinstall PJSIP. 3. Restart all applications using PJSIP.
🔧 Temporary Workarounds
Disable DNS resolution
allConfigure PJSIP to not use DNS resolution by setting nameserver_count to zero
In PJSIP configuration: nameserver_count = 0
Use external DNS resolver
allConfigure applications to use external DNS resolver instead of PJSIP's built-in resolver
🧯 If You Can't Patch
- Implement network segmentation to isolate PJSIP services from untrusted networks
- Deploy DNS filtering and monitoring to detect malicious DNS responses
🔍 How to Verify
Check if Vulnerable:
Check PJSIP version and verify if using built-in DNS resolver. Version 2.12 or earlier with DNS resolution enabled is vulnerable.Check Version:
pjsua --version or check pjlib version in applicationVerify Fix Applied:
Verify PJSIP version is after commit 9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a and DNS resolution is properly configured.📡 Detection & Monitoring
Log Indicators:
- Application crashes
- Memory access violation errors
- Unexpected DNS query failures
Network Indicators:
- Unusual DNS response patterns
- Large DNS packets to PJSIP services
SIEM Query:
source="pjsip" AND (event_type="crash" OR error="segmentation fault" OR error="buffer overflow")🔗 References
- https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a
- https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4
- https://lists.debian.org/debian-lts-announce/2022/05/msg00047.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
- https://security.gentoo.org/glsa/202210-37
- https://www.debian.org/security/2022/dsa-5285
- https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a
- https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4
- https://lists.debian.org/debian-lts-announce/2022/05/msg00047.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
- https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html
- https://security.gentoo.org/glsa/202210-37
- https://www.debian.org/security/2022/dsa-5285
