English | Deutsch | Español
 
Home ▼
Home About Us Contact Us Privacy Partner Programs Testimonials In Press Mailing Lists Abuse Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Security
Audits ▼
Home Dedicated audits Advanced audits Standard audits Recurring audits No Risk audits Desktop audits Basic audit Security Seal FAQ Price/Feature Summary Order New Tests All Tests Confidentiality Vulnerability search Run Audit Scheduler IP Permissions Audit Configuration Editor Scan Queue Reminder Notification Schedule Seal Reports Reports Style Editor
Managed
DNS ▼
About Order FAQ Acceptable Use Policy Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password
Network
Monitor ▼
Enterprise Package Advanced Package Standard Package Free Trial FAQ Price/Feature Summary Order/Renew Examples
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Login/Register 
 
 Vulnerability   
Search   		     Search 324607 CVE descriptions
and 145615 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.112340
Category:Denial of Service
Title:Kamailio < 5.0.7 & 5.1.x < 5.1.4 Multiple DoS Vulnerabilities
Summary:Kamailio is prone to multiple denial of service vulnerabilities; which may result in a crash of the system.
Description:Summary:
Kamailio is prone to multiple denial of service vulnerabilities
which may result in a crash of the system.

Vulnerability Insight:
The following vulnerabilities exist:

- CVE-2018-14767: A security vulnerability in the Kamailio SIP server related to the 'To' header
processing. A specially crafted SIP message with double To header and an empty To tag causes a
segmentation fault and crashes Kamailio. The reason is missing input validation in the
build_res_buf_from_sip_req core function.

- CVE-2018-16657: A security vulnerability in the Kamailio core related to Via header processing.
A specially crafted SIP message with an invalid Via header causes a segmentation fault and crashes
Kamailio. The reason is missing input validation in the crcitt_string_array core function for
calculating a CRC hash for To tags. An additional error is present in the check_via_address core
function, this function also misses input validation.

Vulnerability Impact:
Abuse of this vulnerability leads to denial of service in Kamailio.
Further research may show that exploitation leads to remote code execution. This vulnerability is
rather old and will probably also apply to older versions of Kamailio and maybe even OpenSER.

Affected Software/OS:
Kamailio versions before 5.0.7 and 5.1.x before 5.1.4.

Solution:
Apply the patch from github or make use of a release that
includes that patch (e.g. 5.1.4 or 5.0.7). At the moment no workarounds (e.g. in the configuration)
are known.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2018-14767
Debian Security Information: DSA-4267 (Google Search)
https://www.debian.org/security/2018/dsa-4267
https://skalatan.de/blog/advisory-hw-2018-05
https://lists.debian.org/debian-lts-announce/2018/08/msg00018.html
Common Vulnerability Exposure (CVE) ID: CVE-2018-16657
Debian Security Information: DSA-4292 (Google Search)
https://www.debian.org/security/2018/dsa-4292
https://skalatan.de/blog/advisory-hw-2018-06
https://lists.debian.org/debian-lts-announce/2018/09/msg00013.html
CopyrightCopyright (C) 2018 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.



© 1998-2025 E-Soft Inc. All rights reserved.