CVE-2023-27585
📋 TL;DR
A buffer overflow vulnerability in PJSIP's DNS resolver allows attackers to execute arbitrary code or cause denial of service by sending specially crafted DNS responses. This affects applications using PJSIP versions 2.13 and earlier with DNS resolution enabled. Users who disable DNS resolution or use external resolvers are not affected.
💻 Affected Systems
- PJSIP (pjproject)
- Any application using PJSIP library
📦 What is this software?
Pjsip by Teluu
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or persistent backdoor installation.
Likely Case
Denial of service causing application crashes and service disruption.
If Mitigated
No impact if DNS resolution is disabled or external resolvers are used.
🎯 Exploit Status
Exploitation requires sending malicious DNS responses to the vulnerable resolver. Similar to CVE-2022-24793 but in different parsing function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Master branch commit d1c5e4d and later
Vendor Advisory: https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4
Restart Required: Yes
Instructions:
1. Update to latest PJSIP version from master branch
2. Apply commit d1c5e4da5bae7f220bc30719888bb389c905c0c5
3. Recompile and reinstall the library
4. Restart all applications using PJSIP
🔧 Temporary Workarounds
Disable DNS Resolution
allConfigure PJSIP to not use its built-in DNS resolver
Set nameserver_count = 0 in PJSIP configuration
Use External DNS Resolver
allConfigure application to use system DNS or external resolver instead of PJSIP's resolver
🧯 If You Can't Patch
- Implement network segmentation to isolate PJSIP applications from untrusted DNS servers
- Deploy DNS filtering/proxy to sanitize DNS responses before they reach PJSIP
🔍 How to Verify
Check if Vulnerable:
Check PJSIP version and verify if DNS resolution is enabled in configurationCheck Version:
pkg-config --modversion pjproject or check library headersVerify Fix Applied:
Verify commit d1c5e4d is included in your build and test DNS functionality📡 Detection & Monitoring
Log Indicators:
- Application crashes with segmentation faults
- DNS resolution failures
- Memory corruption errors
Network Indicators:
- Unusual DNS response patterns to PJSIP applications
- Large DNS responses to PJSIP resolver
SIEM Query:
source="application.log" AND ("segmentation fault" OR "buffer overflow") AND process="pjsip"🔗 References
- https://github.com/pjsip/pjproject/commit/d1c5e4da5bae7f220bc30719888bb389c905c0c5
- https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4
- https://github.com/pjsip/pjproject/security/advisories/GHSA-q9cp-8wcq-7pfr
- https://lists.debian.org/debian-lts-announce/2023/04/msg00020.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
- https://www.debian.org/security/2023/dsa-5438
- https://www.pjsip.org/pjlib-util/docs/html/group__PJ__DNS__RESOLVER.htm
- https://github.com/pjsip/pjproject/commit/d1c5e4da5bae7f220bc30719888bb389c905c0c5
- https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4
- https://github.com/pjsip/pjproject/security/advisories/GHSA-q9cp-8wcq-7pfr
- https://lists.debian.org/debian-lts-announce/2023/04/msg00020.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
- https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html
- https://www.debian.org/security/2023/dsa-5438
- https://www.pjsip.org/pjlib-util/docs/html/group__PJ__DNS__RESOLVER.htm
