The PJSIP open-source library is one of the most used libraries which is used by WhatsApp and several other VoIP applications. But, recently, several critical RCE flaws have been detected in PJSIP open source library.
The PJSIP is a multimedia communication library that is also used by the Asterisk enterprise-class open source PBX toolkit, and it’s mainly utilized to provide voice over IP (VoIP) services.
The official Asterisk site claims that the software has about 2 million downloads per year and runs on 1 million servers in more than 165 countries.
While Asterisk sustains:-
- IP PBX systems
- VoIP gateways
- Conferencing servers
And all these systems are used by the:-
- Small and medium businesses
- Call centers
- Telecom operators
- Government agencies
In total, there are five RCE flaws are detected by the cybersecurity analysts at JFrog security firm, and here they are:-
- CVE-2021-43299 (RCE): It’s a stack overflow in PJSUA API when calling pjsua_player_create, and has a CVSS score of 8.1.
- CVE-2021-43300 (RCE): It’s a stack overflow in PJSUA API when calling pjsua_recorder_create, and has a CVSS score of 8.1.
- CVE-2021-43301 (RCE): It’s a stack overflow in PJSUA API when calling pjsua_playlist_create, and has a CVSS score of 8.1.
- CVE-2021-43302 (DDoS): It’s a read out-of-bounds in PJSUA API when calling pjsua_recorder_create, and has a CVSS score of 5.9.
- CVE-2021-43303 (DDoS): It’s a buffer overflow in PJSUA API when calling pjsua_call_dump, and has a CVSS score of 5.9.
Among these five bugs, three of the vulnerabilities are related to the stack overflow bugs, with a score of 8.1 points on the CVSS scale.
While the remaining two bugs in the PJSUA API are related to the out-of-buffer read vulnerability and the buffer overflow vulnerability with a score of 5.9 points on the CVSS scale.
Apart from this, the threat actors who can successfully trigger the above vulnerabilities can reverse the switch on RCE in an app that uses the open-source multimedia communication library, PJSIP.
In short, successfully exploiting the vulnerabilities allows the threat actors to remotely execute arbitrary code in an application that uses the PJSIP library.
These vulnerabilities have affects all the projects that are using the PJSIP library version 2.12 or older. Here the threat actors can get control of the arguments to any of the following APIs by exploiting these flaws:-
Though instant messaging apps like Skype, WhatsApp, and Google Hangouts have made it easy for anyone to interact face-to-face from anywhere on the globe, these security bugs depict the exact scenario of these applications.