[SA-0004] - Security Advisory: SER Header Injection

Dear valued Sippy Customer,

A security vulnerability was reported in a third party module used in our Softswitch. SER is used to handle SIP signalling and has been fixed by their maintainers. This Fix is now incorporated in all our production versions. This security vulnerability leave Switch Operators vulnerable to SIP header injection attacks. In their worst case scenarios the vulnerability could allow for toll fraud, caller-id spoofing and authentication bypass. Additional details can be found here:

We have made a corrective security patch is now available for all our production versions from 5.0 up to Sippy 2020. Users currently operating OpenSIPS in Sippy v5.2 will not be affected by this issue. This updated patch has been tested with Sippy Softswitch and approved for deployment since November 4th 2020.

Vulnerability Impact and types

We have done some assessments as to how you may be impacted from this security vulnerability. Please see the table below for more information.

Area of concern Details
Confidentiality Impact No impact. Customer data is not accessed as part of this vulnerability.
Integrity Impact Moderate. SIP headers can be adjusted to manipulate some of the fields impacting CDR data and billing records.
Availability Impact No impact. Customers Systems should remain up and available to serve additional traffic
Gained Access Low. Call Authentication systems could be bypassed allowing traffic that would ordinarily be blocked.
Vulnerability Type Sip Header Injection

Affected Versions and Resolution Plan

We have outlined who and what steps are needed for our customers to address this security concern. The corrective steps will depend on what version of software you are using as well as the signalling package that is currently in use. The table below will outline that for you.

Product Version Signaling Package Resolution Plan
Sippy Softswitch v4.5 and earlier SER Contact sales@sippysoft.com
Sippy Softswitch v5.0 SER Update to the latest version of Sippy Softswitch v5.0 or Plan upgrade to Sippy Softswitch 5.2 and enable OpenSIPS
Sippy Softswitch v5.1 SER Update to the latest version of Sippy Softswitch v5.1 Or Update to the latest Version of Sippy Softswitch v5.2 and enable OpenSIPS
Sippy Softswitch v5.2 SER Switch Signaling to OpenSIPS
Sippy Softswitch v5.2 OpenSIPS No action needed.
Sippy Softswitch 2020 OpenSIPS No action needed.

Next steps

Customers on Flex Licenses and Active Support agreements will be eligible for the patch and will be performed on a priority basis. Customers on Sippy Softswitch v4.5 or do not currently have a support agreement are directed to contact sales@sippysoft.com for further instructions.


Phillip Ma

Product Manager

Sippy Software.