CVE-2023-40018 – FreeSWITCH versions before 1.10.10 contain an o... (How to Fix)

Q: What is the severity of CVE-2023-40018?

CVE-2023-40018 has a CVSS score of 7.5 (HIGH). FreeSWITCH versions before 1.10.10 contain an out-of-bounds write vulnerability in ICE candidate handling. Remote attackers can trigger memory corruption by sending SDP offers with unknown component IDs, potentially causing crashes or undefined behavior. This affects all FreeSWITCH deployments using vulnerable versions.

📋 TL;DR

FreeSWITCH versions before 1.10.10 contain an out-of-bounds write vulnerability in ICE candidate handling. Remote attackers can trigger memory corruption by sending SDP offers with unknown component IDs, potentially causing crashes or undefined behavior. This affects all FreeSWITCH deployments using vulnerable versions.

💻 Affected Systems

Products:

FreeSWITCH

Versions: All versions prior to 1.10.10

Operating Systems: All platforms running FreeSWITCH

Default Config Vulnerable: ⚠️ Yes

Notes: Any FreeSWITCH configuration that processes SDP offers with ICE candidates is vulnerable. This includes SIP, WebRTC, and other signaling protocols.

📦 What is this software?

Freeswitch by Freeswitch

View all CVEs affecting Freeswitch →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, though this would require additional exploitation techniques beyond the initial memory corruption.

🟠

Likely Case

Service disruption through denial of service (crash) and potential information disclosure from memory corruption.

🟢

If Mitigated

No impact if patched or if network controls prevent malicious SDP offers.

🌐 Internet-Facing: HIGH - FreeSWITCH often handles external SIP/WebRTC traffic, making internet-facing instances directly vulnerable to remote exploitation.

🏢 Internal Only: MEDIUM - Internal FreeSWITCH instances could still be exploited by internal attackers or through compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a specially crafted SDP offer, which is straightforward for attackers familiar with SIP/WebRTC protocols.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.10.10

Vendor Advisory: https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3

Restart Required: Yes

Instructions:

1. Backup configuration files. 2. Stop FreeSWITCH service. 3. Upgrade to version 1.10.10 using package manager or compile from source. 4. Restart FreeSWITCH service. 5. Verify version with 'freeswitch -version'.

🔧 Temporary Workarounds

Network filtering for malicious SDP

all

Use SIP firewalls or WAFs to filter SDP offers containing ICE candidates with unknown component IDs

Disable ICE support

all

Disable ICE candidate processing in FreeSWITCH configuration if not required

<param name="disable-ice" value="true"/> in sip_profiles or other relevant configuration

🧯 If You Can't Patch

Implement strict network segmentation to isolate FreeSWITCH from untrusted networks
Deploy intrusion detection systems to monitor for malicious SDP patterns

🔍 How to Verify

Check if Vulnerable:

Check FreeSWITCH version with 'freeswitch -version' or 'fs_cli -x version'. If version is below 1.10.10, system is vulnerable.

Check Version:

freeswitch -version 2>/dev/null | head -1 || fs_cli -x 'version' 2>/dev/null | grep 'FreeSWITCH'

Verify Fix Applied:

After patching, verify version is 1.10.10 or higher with 'freeswitch -version'. Test ICE functionality remains operational.

📡 Detection & Monitoring

Log Indicators:

Segmentation fault crashes in logs
Unexpected memory access errors
Abnormal termination of FreeSWITCH processes

Network Indicators:

SDP offers with unusual ICE candidate component IDs (not 1 or 2)
Multiple failed ICE negotiation attempts from single source

SIEM Query:

source="freeswitch.log" AND ("segmentation fault" OR "SIGSEGV" OR "out of bounds")

📊 Metadata

CVE ID: CVE-2023-40018

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-787

Published: September 15, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/signalwire/freeswitch/releases/tag/v1.10.10 Release Notes
https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3 Vendor Advisory
https://github.com/signalwire/freeswitch/releases/tag/v1.10.10 Release Notes
https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-40018, you might also want to check these: