CVE-2023-40018 - Vulnerability Details - OpenCVE

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID. When an SDP is offered with any ICE candidates with an unknown component ID, FreeSWITCH will make an out of bounds write to its arrays. By abusing this vulnerability, an attacker is able to corrupt FreeSWITCH memory leading to an undefined behavior of the system or a crash of it. Version 1.10.10 contains a patch for this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact partial

Vendors	Products
Freeswitch	Freeswitch

Configuration 1 [-]

cpe:2.3:a:freeswitch:freeswitch:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/signalwire/freeswitch/releases/tag/v1.10.10
https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3

History

Wed, 25 Sep 2024 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-09-15T19:32:19.207Z

Updated: 2024-09-25T18:02:59.227Z

Reserved: 2023-08-08T13:46:25.242Z

Link: CVE-2023-40018

Vulnrichment

Updated: 2024-08-02T18:24:54.689Z

NVD

Status : Modified

Published: 2023-09-15T20:15:09.447

Modified: 2024-11-21T08:18:31.417

Link: CVE-2023-40018

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-40018", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-08-08T13:46:25.242Z", "datePublished": "2023-09-15T19:32:19.207Z", "dateUpdated": "2024-09-25T18:02:59.227Z"}, "containers": {"cna": {"title": "FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID", "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3"}, {"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10", "tags": ["x_refsource_MISC"], "url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10"}], "affected": [{"vendor": "signalwire", "product": "freeswitch", "versions": [{"version": "< 1.10.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-15T19:32:19.207Z"}, "descriptions": [{"lang": "en", "value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID. When an SDP is offered with any ICE candidates with an unknown component ID, FreeSWITCH will make an out of bounds write to its arrays. By abusing this vulnerability, an attacker is able to corrupt FreeSWITCH memory leading to an undefined behavior of the system or a crash of it. Version 1.10.10 contains a patch for this issue."}], "source": {"advisory": "GHSA-7mwp-86fv-hcg3", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:24:54.689Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3"}, {"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-25T18:02:51.253210Z", "id": "CVE-2023-40018", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-25T18:02:59.227Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3", "name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10", "name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:24:54.689Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-40018", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-25T18:02:51.253210Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-25T18:02:55.336Z"}}], "cna": {"title": "FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID", "source": {"advisory": "GHSA-7mwp-86fv-hcg3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "signalwire", "product": "freeswitch", "versions": [{"status": "affected", "version": "< 1.10.10"}]}], "references": [{"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3", "name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10", "name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID. When an SDP is offered with any ICE candidates with an unknown component ID, FreeSWITCH will make an out of bounds write to its arrays. By abusing this vulnerability, an attacker is able to corrupt FreeSWITCH memory leading to an undefined behavior of the system or a crash of it. Version 1.10.10 contains a patch for this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-15T19:32:19.207Z"}}}, "cveMetadata": {"cveId": "CVE-2023-40018", "state": "PUBLISHED", "dateUpdated": "2024-09-25T18:02:59.227Z", "dateReserved": "2023-08-08T13:46:25.242Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-09-15T19:32:19.207Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:freeswitch:freeswitch:*:*:*:*:*:*:*:*", "matchCriteriaId": "5FBCE979-CA36-45E2-B9DE-11B260D2AB19", "versionEndExcluding": "1.10.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID. When an SDP is offered with any ICE candidates with an unknown component ID, FreeSWITCH will make an out of bounds write to its arrays. By abusing this vulnerability, an attacker is able to corrupt FreeSWITCH memory leading to an undefined behavior of the system or a crash of it. Version 1.10.10 contains a patch for this issue."}, {"lang": "es", "value": "FreeSWITCH es una pila de telecomunicaciones definida por software que permite la transformaci\u00f3n digital de switches de telecomunicaciones propietarios a una implementaci\u00f3n de software que se ejecuta en cualquier hardware b\u00e1sico. Antes de la versi\u00f3n 1.10.10, FreeSWITCH permit\u00eda a los usuarios remotos activar escritura fuera de l\u00edmites ofreciendo un candidato ICE con un ID de componente desconocido. Cuando se ofrece un SDP con candidatos ICE con un ID de componente desconocido, FreeSWITCH realizar\u00e1 una escritura fuera de l\u00edmites en sus matrices. Al abusar de esta vulnerabilidad, un atacante puede corromper la memoria de FreeSWITCH, lo que provoca un comportamiento indefinido del sistema o un bloqueo del mismo. La versi\u00f3n 1.10.10 contiene un parche para este problema."}], "id": "CVE-2023-40018", "lastModified": "2024-11-21T08:18:31.417", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2023-09-15T20:15:09.447", "references": [{"source": "[email protected]", "tags": ["Release Notes"], "url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "[email protected]", "type": "Secondary"}]}