Skip to main content

Freeswitch CVE-2021-41145

HIGH
Uncontrolled Resource Consumption (CWE-400)
2021-10-25 security-advisories@github.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Oct 25, 2021 - 22:15 nvd
HIGH 7.5

DescriptionNVD

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. FreeSWITCH prior to version 1.10.7 is susceptible to Denial of Service via SIP flooding. When flooding FreeSWITCH with SIP messages, it was observed that after a number of seconds the process was killed by the operating system due to memory exhaustion. By abusing this vulnerability, an attacker is able to crash any FreeSWITCH instance by flooding it with SIP messages, leading to Denial of Service. The attack does not require authentication and can be carried out over UDP, TCP or TLS. This issue was patched in version 1.10.7.

AnalysisAI

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Uncontrolled Resource Consumption (CWE-400), which allows attackers to cause denial of service by exhausting system resources. FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. FreeSWITCH prior to version 1.10.7 is susceptible to Denial of Service via SIP flooding. When flooding FreeSWITCH with SIP messages, it was observed that after a number of seconds the process was killed by the operating system due to memory exhaustion. By abusing this vulnerability, an attacker is able to crash any FreeSWITCH instance by flooding it with SIP messages, leading to Denial of Service. The attack does not require authentication and can be carried out over UDP, TCP or TLS. This issue was patched in version 1.10.7. Affected products include: Freeswitch. Version information: version 1.10.7.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement rate limiting, set resource quotas, validate input sizes, use timeouts.

CVE-2019-19492 CRITICAL POC
9.8 Dec 02

FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml. Rated critical severity (CVSS 9.8), th

CVE-2015-7392 HIGH POC
7.5 Oct 05

Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before 1.4.23 and 1.6.x

CVE-2021-41158 HIGH POC
7.5 Oct 26

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-41105 HIGH POC
7.5 Oct 25

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-37624 HIGH POC
7.5 Oct 25

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-36513 HIGH POC
7.5 Oct 18

An issue was discovered in function sofia_handle_sip_i_notify in sofia.c in SignalWire freeswitch before 1.10.6, may all

CVE-2018-19911 HIGH POC
7.5 Dec 06

FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api

CVE-2013-2238 MEDIUM POC
6.8 Sep 30

Multiple buffer overflows in the switch_perform_substitution function in switch_regex.c in FreeSWITCH 1.2 allow remote a

CVE-2023-40019 MEDIUM POC
6.5 Sep 15

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2023-51443 MEDIUM POC
5.9 Dec 27

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2026-49841 CRITICAL
9.8 Jun 09

Heap buffer overflow in FreeSWITCH mod_verto prior to version 1.11.1 allows remote unauthenticated attackers to corrupt

CVE-2021-41157 MEDIUM POC
5.3 Oct 26

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

Share

CVE-2021-41145 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy