[SA-0008] - Security Advisory: PHP command injection

Hi Everyone,

Sippy Software has been informed regarding a critical PHP vulnerability that allows attackers to inject commands. This allows for command injection, cookie bypass, account take overs and denial of service types of attack to your system. An update will be ready for Sippy Softswitch v2022 that contains a patched version of PHP. Customers on Sippy 2021 and older are advised to upgrade to the latest Sippy 2022 as the older versions of sippy software have not been tested with the latest stable version of PHP. Customers are welcome to schedule updates to their production systems with our support teams to correct for this issue starting as early as Tuesday April 30th. In the interim we strongly suggest to ensure your firewall policies are in place limiting access to your soft switch from unknown IP addresses.

Critical PHP Vulnerabilities

According to the reports shared with Cyber Security News, these vulnerabilities affect all versions prior to 8.3.5, 8.2.18, 8.1.28, and 8.1.11.

The vulnerabilities identified are as follows:

• Command Injection (CVE-2024-1874)
• Cookie Bypass is due to an insufficient fix of CVE-2022-31629 (CVE-2024-2756).
• Null byte acceptance leading to Account TakeOver (CVE-2024-3096).
• Denial of Service (CVE-2024-2757).

For more information please refer to the following article https://cybersecuritynews.com/patch-php-vulnerabilities-now/

Sincerely,

Phillip Ma

Product Manager

Sippy Software.