CVE-2023-27599 – CVE-2023-27599 is a denial-of-service vulnerabi... (How to Fix)

Q: What is the severity of CVE-2023-27599?

CVE-2023-27599 has a CVSS score of 7.5 (HIGH). CVE-2023-27599 is a denial-of-service vulnerability in OpenSIPS SIP server where a malformed To header in a SIP message triggers an abort() call, causing the server to crash. This affects OpenSIPS installations using functions like append_hf that process SIP headers. Attackers can exploit this to disrupt SIP services.

📋 TL;DR

CVE-2023-27599 is a denial-of-service vulnerability in OpenSIPS SIP server where a malformed To header in a SIP message triggers an abort() call, causing the server to crash. This affects OpenSIPS installations using functions like append_hf that process SIP headers. Attackers can exploit this to disrupt SIP services.

💻 Affected Systems

Products:

OpenSIPS

Versions: All versions prior to 3.1.7 and 3.2.4

Operating Systems: All platforms running OpenSIPS

Default Config Vulnerable: ✅ No

Notes: Only affects configurations using functions that process SIP headers like append_hf. The vulnerability requires specific code paths to be triggered.

📦 What is this software?

Opensips by Opensips

View all CVEs affecting Opensips →

Opensips by Opensips

View all CVEs affecting Opensips →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of OpenSIPS server, disrupting all SIP-based communications including VoIP calls and messaging services.

🟠

Likely Case

Service disruption causing dropped calls and failed SIP transactions until service is restarted.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring allowing quick detection and recovery.

🌐 Internet-Facing: HIGH - OpenSIPS servers exposed to the internet can be targeted by any remote attacker sending malformed SIP packets.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could still exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a specially crafted SIP message with a malformed To header. No authentication is needed if the server is reachable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.7 or 3.2.4

Vendor Advisory: https://github.com/OpenSIPS/opensips/security/advisories/GHSA-qvj2-vqrg-f5jx

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Stop OpenSIPS service. 3. Upgrade to OpenSIPS 3.1.7 or 3.2.4 using package manager or source compilation. 4. Verify configuration compatibility. 5. Restart OpenSIPS service.

🔧 Temporary Workarounds

Network Filtering

linux

Implement network-level filtering to block malformed SIP packets before they reach OpenSIPS.

iptables -A INPUT -p udp --dport 5060 -m string --algo bm --hex-string '|546f3a|' -j DROP
iptables -A INPUT -p tcp --dport 5060 -m string --algo bm --hex-string '|546f3a|' -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to limit access to OpenSIPS servers only to trusted SIP endpoints.
Deploy intrusion detection systems to monitor for malformed SIP packets and alert on potential exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check OpenSIPS version: opensips -V. If version is below 3.1.7 (for 3.1.x branch) or below 3.2.4 (for 3.2.x branch), the system is vulnerable.

Check Version:

opensips -V

Verify Fix Applied:

After patching, verify version is 3.1.7 or higher (3.1.x) or 3.2.4 or higher (3.2.x) and test with SIP traffic containing various To header formats.

📡 Detection & Monitoring

Log Indicators:

OpenSIPS process crashes or restarts
Abnormal termination messages in system logs
Increased error logs related to SIP header parsing

Network Indicators:

Unusual SIP packets with malformed To headers
SIP traffic patterns causing service disruption

SIEM Query:

source="opensips.log" AND ("abort" OR "crash" OR "segmentation fault")

📊 Metadata

CVE ID: CVE-2023-27599

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-20

Published: March 15, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/OpenSIPS/opensips/commit/cb56694d290530ac308f44b453c18120b1c1109d Patch,Third Party Advisory
https://github.com/OpenSIPS/opensips/security/advisories/GHSA-qvj2-vqrg-f5jx Third Party Advisory
https://opensips.org/pub/audit-2022/opensips-audit-technical-report-full.pdf Third Party Advisory
https://github.com/OpenSIPS/opensips/commit/cb56694d290530ac308f44b453c18120b1c1109d Patch,Third Party Advisory
https://github.com/OpenSIPS/opensips/security/advisories/GHSA-qvj2-vqrg-f5jx Third Party Advisory
https://opensips.org/pub/audit-2022/opensips-audit-technical-report-full.pdf Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27599, you might also want to check these: