Login Sign Up

CVE-2024-3119

9.0 CRITICAL
Remote Code Execution Denial of Service Buffer Overflow

📋 TL;DR

A buffer overflow vulnerability in sngrep allows remote attackers to execute arbitrary code or cause denial of service through specially crafted SIP messages. This affects all versions of sngrep since v0.4.2. Anyone using sngrep to monitor or analyze SIP traffic is potentially vulnerable.

💻 Affected Systems

Products:
  • sngrep
Versions: v0.4.2 through v1.8.0
Operating Systems: Linux, BSD, macOS, Windows
Default Config Vulnerable: ⚠️ Yes
Notes: All installations processing SIP traffic with vulnerable versions are affected regardless of configuration.

📦 What is this software?

Sngrep by Irontec

View all CVEs affecting Sngrep →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the sngrep process, potentially leading to full system compromise.

🟠

Likely Case

Denial of service through application crash, disrupting SIP monitoring capabilities.

🟢

If Mitigated

Limited impact if sngrep runs with minimal privileges and network exposure is restricted.

🌐 Internet-Facing: HIGH - sngrep processes SIP traffic which often comes from untrusted sources, including internet-facing SIP proxies.
🏢 Internal Only: MEDIUM - Internal SIP traffic could still be malicious, but attack surface is reduced compared to internet exposure.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is in header parsing functions that process incoming SIP messages, requiring no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.8.1

Vendor Advisory: https://github.com/irontec/sngrep/releases/tag/v1.8.1

Restart Required: Yes

Instructions:

1. Download sngrep v1.8.1 from GitHub releases. 2. Stop any running sngrep processes. 3. Install the new version using your system's package manager or compile from source. 4. Restart sngrep services.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict sngrep to only process SIP traffic from trusted internal sources.

Process Isolation

linux

Run sngrep with minimal privileges using containerization or dedicated user accounts.

sudo useradd -r -s /bin/false sngrep-user
sudo -u sngrep-user sngrep

🧯 If You Can't Patch

  • Disable sngrep entirely until patching is possible
  • Implement strict network filtering to only allow SIP traffic from trusted sources to reach sngrep

🔍 How to Verify

Check if Vulnerable:

Run 'sngrep --version' and check if version is between v0.4.2 and v1.8.0 inclusive.

Check Version:

sngrep --version

Verify Fix Applied:

Confirm version is v1.8.1 or later with 'sngrep --version' and test with sample SIP traffic.

📡 Detection & Monitoring

Log Indicators:

  • sngrep crash logs
  • segmentation fault errors in system logs
  • unexpected process termination

Network Indicators:

  • Unusually long Call-ID or X-Call-ID headers in SIP traffic
  • SIP messages with malformed headers targeting sngrep

SIEM Query:

process:sngrep AND (event:crash OR signal:SIGSEGV)

📊 Metadata

CVE ID: CVE-2024-3119
CVSS v3 Score: 9.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-120
Published: April 10, 2024
Last Updated: February 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3119, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)