CVE-2023-38703 – CVE-2023-38703 is a use-after-free vulnerabilit... (How to Fix)

📋 TL;DR

CVE-2023-38703 is a use-after-free vulnerability in PJSIP's SRTP implementation that occurs when higher-level media transport isn't properly synchronized with lower-level transport. This can lead to memory corruption, application crashes, or potential remote code execution. Affected systems are those using PJSIP with SRTP capability and non-UDP underlying transport.

💻 Affected Systems

Products:

PJSIP/pjproject library

Versions: All versions before commit 6dc9b8c181aff39845f02b4626e0812820d4ef0d

Operating Systems: All platforms running PJSIP

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when PJMEDIA_HAS_SRTP is enabled AND using non-UDP underlying transport (like ICE)

📦 What is this software?

Pjsip by Teluu

View all CVEs affecting Pjsip →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise and attacker persistence

🟠

Likely Case

Application crashes causing denial of service and potential memory corruption

🟢

If Mitigated

Application termination without further impact if memory protections are in place

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending specially crafted SRTP packets to vulnerable endpoints

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Master branch commit 6dc9b8c181aff39845f02b4626e0812820d4ef0d

Vendor Advisory: https://github.com/pjsip/pjproject/security/advisories/GHSA-f76w-fh7c-pc66

Restart Required: Yes

Instructions:

1. Update to latest pjproject master branch
2. Recompile your application with the patched library
3. Restart all services using PJSIP

🔧 Temporary Workarounds

Disable SRTP

all

Disable SRTP capability by setting PJMEDIA_HAS_SRTP=0 during compilation

export PJMEDIA_HAS_SRTP=0
./configure
make clean
make
make install

Use UDP-only transport

all

Configure applications to use only UDP as underlying transport

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable systems
Deploy WAF/IPS rules to block suspicious SRTP traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check if application uses PJSIP with SRTP enabled and non-UDP transport

Check Version:

git log --oneline | grep 6dc9b8c181aff39845f02b4626e0812820d4ef0d

Verify Fix Applied:

Verify pjproject version includes commit 6dc9b8c181aff39845f02b4626e0812820d4ef0d

📡 Detection & Monitoring

Log Indicators:

Application crashes with memory access violations
Unexpected termination of PJSIP-based services

Network Indicators:

Unusual SRTP traffic patterns
Malformed SRTP packets to non-UDP ports

SIEM Query:

source="application.log" AND ("pjsip" OR "SRTP") AND ("crash" OR "segfault" OR "access violation")

📊 Metadata

CVE ID: CVE-2023-38703

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: October 6, 2023

Last Updated: April 10, 2025

🔗 References

https://github.com/pjsip/pjproject/commit/6dc9b8c181aff39845f02b4626e0812820d4ef0d Patch
https://github.com/pjsip/pjproject/security/advisories/GHSA-f76w-fh7c-pc66 Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html Mailing List
https://github.com/pjsip/pjproject/commit/6dc9b8c181aff39845f02b4626e0812820d4ef0d Patch
https://github.com/pjsip/pjproject/security/advisories/GHSA-f76w-fh7c-pc66 Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html Mailing List

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38703, you might also want to check these: