[SA-0004] - Security Advisory: SER Header Injection
Dear valued Sippy Customer,
A security vulnerability was reported in a third party module used in our Softswitch. SER is used to handle SIP signalling and has been fixed by their maintainers. This Fix is now incorporated in all our production versions. This security vulnerability leave Switch Operators vulnerable to SIP header injection attacks. In their worst case scenarios the vulnerability could allow for toll fraud, caller-id spoofing and authentication bypass. Additional details can be found here:
We have made a corrective security patch is now available for all our production versions from 5.0 up to Sippy 2020. Users currently operating OpenSIPS in Sippy v5.2 will not be affected by this issue. This updated patch has been tested with Sippy Softswitch and approved for deployment since November 4th 2020.
Vulnerability Impact and types
We have done some assessments as to how you may be impacted from this security vulnerability. Please see the table below for more information.
| Area of concern | Details |
|---|---|
| Confidentiality Impact | No impact. Customer data is not accessed as part of this vulnerability. |
| Integrity Impact | Moderate. SIP headers can be adjusted to manipulate some of the fields impacting CDR data and billing records. |
| Availability Impact | No impact. Customers Systems should remain up and available to serve additional traffic |
| Gained Access | Low. Call Authentication systems could be bypassed allowing traffic that would ordinarily be blocked. |
| Vulnerability | Type Sip Header Injection |
Affected Versions and Resolution Plan
We have outlined who and what steps are needed for our customers to address this security concern. The corrective steps will depend on what version of software you are using as well as the signalling package that is currently in use. The table below will outline that for you.
| Product | Version | Signaling Package | Resolution Plan |
|---|---|---|---|
| Sippy Softswitch | v4.5 and earlier | SER | Contact sales@sippysoft.com |
| Sippy Softswitch | v5.0 | SER | Update to the latest version of Sippy Softswitch v5.0 or Plan upgrade to Sippy Softswitch 5.2 and enable OpenSIPS |
| Sippy Softswitch | v5.1 | SER | Update to the latest version of Sippy Softswitch v5.1 Or Update to the latest Version of Sippy Softswitch v5.2 and enable OpenSIPS |
| Sippy Softswitch | v5.2 | SER | Switch Signaling to OpenSIPS |
| Sippy Softswitch | v5.2 | OpenSIPS | No action needed. |
| Sippy Softswitch | 2020 | OpenSIPS | No action needed. |
Next steps
Customers on Flex Licenses and Active Support agreements will be eligible for the patch and will be performed on a priority basis. Customers on Sippy Softswitch v4.5 or do not currently have a support agreement are directed to contact sales@sippysoft.com for further instructions.
Sincerely,
Phillip Ma
Product Manager
Sippy Software.