CVE-2023-27601 – CVE-2023-27601 is a denial-of-service vulnerabi... (How to Fix)

Q: What is the severity of CVE-2023-27601?

CVE-2023-27601 has a CVSS score of 7.5 (HIGH). CVE-2023-27601 is a denial-of-service vulnerability in OpenSIPS where sending a malformed SDP body without proper line feed termination causes the server to crash. This affects OpenSIPS servers running configurations that use functions like codec_delete_except_re or codec_delete_re. Attackers can exploit this to disrupt SIP services.

📋 TL;DR

CVE-2023-27601 is a denial-of-service vulnerability in OpenSIPS where sending a malformed SDP body without proper line feed termination causes the server to crash. This affects OpenSIPS servers running configurations that use functions like codec_delete_except_re or codec_delete_re. Attackers can exploit this to disrupt SIP services.

💻 Affected Systems

Products:

OpenSIPS

Versions: All versions prior to 3.1.7 and 3.2.4

Operating Systems: All platforms running OpenSIPS

Default Config Vulnerable: ✅ No

Notes: Only affects configurations using functions that rely on delete_sdp_line, particularly codec_delete_except_re and codec_delete_re functions.

📦 What is this software?

Opensips by Opensips

View all CVEs affecting Opensips →

Opensips by Opensips

View all CVEs affecting Opensips →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of OpenSIPS server, disrupting all SIP-based communications including VoIP calls, messaging, and presence services.

🟠

Likely Case

Intermittent service disruptions and server crashes requiring manual restart, impacting availability of SIP services.

🟢

If Mitigated

No impact if patched or if vulnerable functions are not used in configuration.

🌐 Internet-Facing: HIGH - OpenSIPS servers are typically internet-facing SIP proxies, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal OpenSIPS deployments could still be targeted by internal threats or compromised systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted SIP messages with malformed SDP bodies. The vulnerability was discovered through fuzzing, suggesting automated exploitation is feasible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.7 or 3.2.4

Vendor Advisory: https://github.com/OpenSIPS/opensips/security/advisories/GHSA-xj5x-g52f-548h

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Upgrade to OpenSIPS 3.1.7 or 3.2.4. 3. Verify the fix by checking version. 4. Restart OpenSIPS service.

🔧 Temporary Workarounds

Disable vulnerable functions

all

Remove or disable usage of codec_delete_except_re and codec_delete_re functions from OpenSIPS configuration

# Edit opensips.cfg and remove/comment out lines using codec_delete_except_re or codec_delete_re

Network filtering

all

Implement SIP message validation at network perimeter to filter malformed SDP bodies

# Use SIP-aware firewall or IDS/IPS with rules to detect malformed SDP

🧯 If You Can't Patch

Implement strict network segmentation to limit access to OpenSIPS servers
Deploy rate limiting on SIP traffic to reduce impact of DoS attempts

🔍 How to Verify

Check if Vulnerable:

Check OpenSIPS version and review configuration for use of codec_delete_except_re or codec_delete_re functions

Check Version:

opensips -V

Verify Fix Applied:

Verify OpenSIPS version is 3.1.7 or 3.2.4 or higher, and test with malformed SDP messages

📡 Detection & Monitoring

Log Indicators:

OpenSIPS crash logs
Abort messages in system logs
Unexpected service restarts

Network Indicators:

SIP messages with malformed SDP bodies lacking line feed termination
Sudden drop in SIP traffic

SIEM Query:

source="opensips.log" AND ("abort" OR "crash" OR "segmentation fault")

📊 Metadata

CVE ID: CVE-2023-27601

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-20

Published: March 15, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/OpenSIPS/opensips/commit/8f87c7c03da55f9c79bd92e67fa2c94b2a7ce5cf Patch,Third Party Advisory
https://github.com/OpenSIPS/opensips/security/advisories/GHSA-xj5x-g52f-548h Third Party Advisory
https://opensips.org/docs/modules/3.3.x/sipmsgops.html Vendor Advisory
https://opensips.org/pub/audit-2022/opensips-audit-technical-report-full.pdf Vendor Advisory
https://github.com/OpenSIPS/opensips/commit/8f87c7c03da55f9c79bd92e67fa2c94b2a7ce5cf Patch,Third Party Advisory
https://github.com/OpenSIPS/opensips/security/advisories/GHSA-xj5x-g52f-548h Third Party Advisory
https://opensips.org/docs/modules/3.3.x/sipmsgops.html Vendor Advisory
https://opensips.org/pub/audit-2022/opensips-audit-technical-report-full.pdf Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27601, you might also want to check these: