The Security team from JFrog has identified five memory corruption vulnerabilities in the PJSIP library, a widely used open-source multimedia communication library from Teluu. Successful exploitation of these vulnerabilities could lead to arbitrary code execution in the application that uses the PJSIP library. We recommend all the application developers read the post that tells how to fix the five memory corruption vulnerabilities in the PJSIP library.
What Is PJSIP Library?
PJSIP is a free and open-source multimedia communication library written in C language. It is most likely used in the implementation of standard protocols such as SIP, SDP, RTP, STUN, TURN, and ICE protocols. It combines signaling protocol (SIP) with a rich multimedia framework and NAT traversal functionality into a high-level API that is compatible with desktops, embedded systems, mobile, and tablets.
Basically, it provides an API service that supports audio, video, and instant messaging features that can be used in communication platforms such as VoIP phones and conference applications. Now, It is being used in the world’s most popular communication applications such as WhatsApp, BlueJeans, and Asterisk.
Summary Of the Five Memory Corruption Vulnerabilities In PJSIP Library:
JFrog’s security team identified five memory corruption vulnerabilities in PJSIP Library whose CVSS scores range from 8.1 to 5.9. Successful exploitation of these vulnerabilities could allow an attacker to perform arbitrary code execution in the application that uses the PJSIP library. Please visit this post from JFrog Security Team for more technical details.
|CVE ID||Description||Impact||JFrog CVSS|
|CVE-2021-43299||Stack overflow in PJSUA API when calling pjsua_player_create||Arbitrary Code Execution||8.1|
|CVE-2021-43300||Stack overflow in PJSUA API when calling pjsua_recorder_create||Arbitrary Code Execution||8.1|
|CVE-2021-43301||Stack overflow in PJSUA API when calling pjsua_playlist_create||Arbitrary Code Execution||8.1|
|CVE-2021-43302||Read out-of-bounds in PJSUA API when calling pjsua_recorder_create||Denial of Service||5.9|
|CVE-2021-43303||Buffer overflow in PJSUA API when calling pjsua_call_dump||Denial of Service||5.9|
PJSIP Library Affected By These Vulnerabilities:
The PJSIP library before version 2.12 and pass attacker-controlled arguments to any of these following APIs are vulnerable to these memory corruption flaws:
- pjsua_player_create – filename argument must be attacker-controlled
- pjsua_recorder_create – filename argument must be attacker-controlled
- pjsua_playlist_create – file_names argument must be (partially) attacker-controlled
- pjsua_call_dump – buffer argument capacity must be smaller than 128 bytes
All the application developers who use PJSIP Library in their development projects need to fix these five memory corruption vulnerabilities in the PJSIP library.
How To Fix The Five Memory Corruption Vulnerabilities In PJSIP Library?
The authors of the PJSIP library has responded to the vulnerabilities as soon as JFrog’s security team reported these flaws to them. PJSIP authors have fixed the flaws by releasing version 2.12. We recommend that all application developers upgrade to v1.12 and above who use the PJSIP library.
We hope this post will help you know How to Fix the Five Memory Corruption Vulnerabilities in PJSIP Library. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.