The weaknesses are in the PJSIP multimedia communication package employed by the Asterisk PBX toolkit, which is used in several VoIP implementations. WhatsApp and BlueJeans are only two of the most popular communication applications globally, both of which rely on an open-source library with new security flaws.
This open-source, faulty library has one thing in common with the Apache Log4J logging library scandal, which began in December: it’s widely used. PJSIP library, which is an open-source multimedia communication library, is also used by Asterisk. Asterisk is an open-source, enterprise-class PBX (private branch exchange) toolkit used in various voice-over-IP (VoIP) solutions.
According to the Asterisk website, the software is downloaded 2 million times each year and is installed on 1 million servers in 170 countries. SMBs, companies, call centers, carriers, and governments employ Asterisk to power IP PBX systems, VoIP gateways, and conferencing servers.
PJSIP, which provides an API that can be employed by IP telephony applications such as voice-over-IP (VoIP) phones and conference apps, was discovered to have five memory-corruption vulnerabilities on Monday by the DevOps platform provider JFrog Security. According to JFrog researchers, an attacker who successfully exploits the vulnerabilities can enable remote code execution (RCE) in an application that employs the PJSIP library. PJSIP’s maintainers have patched the five CVEs due to JFrog’s disclosure.
According to JFrog’s technical breakdown, the PJSIP framework includes a library called PJSUA that provides an API for SIP applications. Three weaknesses are stack overflow vulnerabilities that can result in RCE and have a CVSS severity level of 8.1. The remaining two vulnerabilities in the PJSUA API include a read out-of-bounds flaw and a buffer overflow flaw, both of which can cause a denial-of-service (DoS) and are rated at CVSS 5.9.
Pockmarks are nothing new in PJSIP and other typical videoconferencing architectural implementations. According to Google Project Zero researcher Natalie Silvanovich, WebRTC (used by Chrome, Safari, Firefox, Facebook Messenger, Signal, and others), PJSIP (used by WhatsApp, BlueJeans, and millions of Asterisk implementations), and Apple’s proprietary FaceTime library had critical vulnerabilities in August 2018.
“If exploited, such vulnerabilities would have let attackers crash apps using the implementation, by merely placing a video call,” noted Ronen Slavin, who was then the head of research at Reason Cybersecurity and is now the co-founder and CTO at the source code control, detection, and response platform Cycode, back in 2019. “This would have then triggered a memory heap overflow which could allow the attacker to take over the victim’s video calling account.”
Skype, Google Hangouts, WhatsApp, and other such apps “have made it easy to have meaningful face-to-face interactions across between two points anywhere on the globe,” he wrote. That was the case at the time. However, the pandemic has added fuel to the fire when it comes to virtual connections, making it all the more important to follow JFrog’s advice and patch as soon as possible.