ID

VAR-202110-1542


CVE

CVE-2021-41145


TITLE

FreeSWITCH  Vulnerability regarding lack of memory release after expiration in

Trust: 0.8

sources: JVNDB: JVNDB-2021-013897

DESCRIPTION

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. FreeSWITCH prior to version 1.10.7 is susceptible to Denial of Service via SIP flooding. When flooding FreeSWITCH with SIP messages, it was observed that after a number of seconds the process was killed by the operating system due to memory exhaustion. By abusing this vulnerability, an attacker is able to crash any FreeSWITCH instance by flooding it with SIP messages, leading to Denial of Service. The attack does not require authentication and can be carried out over UDP, TCP or TLS. This issue was patched in version 1.10.7. FreeSWITCH Contains a vulnerability regarding the lack of free memory after expiration.Service operation interruption (DoS) It may be in a state. FreeSWITCH is a set of free and open source communication software developed by the individual developer Anthony Minesale in the United States. The software can be used to create audio, video and short message products and applications

Trust: 1.71

sources: NVD: CVE-2021-41145 // JVNDB: JVNDB-2021-013897 // VULHUB: VHN-397864

AFFECTED PRODUCTS

vendor:freeswitchmodel:freeswitchscope:ltversion:1.10.7

Trust: 1.0

vendor:freeswitchmodel:freeswitchscope:eqversion: -

Trust: 0.8

vendor:freeswitchmodel:freeswitchscope:eqversion:1.10.7

Trust: 0.8

sources: JVNDB: JVNDB-2021-013897 // NVD: CVE-2021-41145

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-41145
value: HIGH

Trust: 1.0

security-advisories@github.com: CVE-2021-41145
value: HIGH

Trust: 1.0

NVD: CVE-2021-41145
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202110-1765
value: HIGH

Trust: 0.6

VULHUB: VHN-397864
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-41145
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-397864
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-41145
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

security-advisories@github.com: CVE-2021-41145
baseSeverity: HIGH
baseScore: 8.6
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 4.0
version: 3.1

Trust: 1.0

NVD: CVE-2021-41145
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-397864 // JVNDB: JVNDB-2021-013897 // CNNVD: CNNVD-202110-1765 // NVD: CVE-2021-41145 // NVD: CVE-2021-41145

PROBLEMTYPE DATA

problemtype:CWE-400

Trust: 1.1

problemtype:CWE-401

Trust: 1.1

problemtype:Lack of memory release after expiration (CWE-401) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-397864 // JVNDB: JVNDB-2021-013897 // NVD: CVE-2021-41145

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202110-1765

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-202110-1765

PATCH

title:FreeSWITCH v1.10.7 Release GitHuburl:https://github.com/signalwire/freeswitch/releases/tag/v1.10.7

Trust: 0.8

title:FreeSWITCH Remediation of resource management error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=167159

Trust: 0.6

sources: JVNDB: JVNDB-2021-013897 // CNNVD: CNNVD-202110-1765

EXTERNAL IDS

db:NVDid:CVE-2021-41145

Trust: 3.3

db:JVNDBid:JVNDB-2021-013897

Trust: 0.8

db:CNNVDid:CNNVD-202110-1765

Trust: 0.7

db:PACKETSTORMid:164624

Trust: 0.7

db:VULHUBid:VHN-397864

Trust: 0.1

sources: VULHUB: VHN-397864 // JVNDB: JVNDB-2021-013897 // CNNVD: CNNVD-202110-1765 // NVD: CVE-2021-41145

REFERENCES

url:https://github.com/signalwire/freeswitch/security/advisories/ghsa-jvpq-23v4-gp3m

Trust: 1.7

url:https://github.com/signalwire/freeswitch/releases/tag/v1.10.7

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-41145

Trust: 1.4

url:http://seclists.org/fulldisclosure/2021/oct/42

Trust: 0.6

url:https://packetstormsecurity.com/files/164624/freeswitch-1.10.6-sip-flooding-denial-of-service.html

Trust: 0.6

sources: VULHUB: VHN-397864 // JVNDB: JVNDB-2021-013897 // CNNVD: CNNVD-202110-1765 // NVD: CVE-2021-41145

SOURCES

db:VULHUBid:VHN-397864
db:JVNDBid:JVNDB-2021-013897
db:CNNVDid:CNNVD-202110-1765
db:NVDid:CVE-2021-41145

LAST UPDATE DATE

2024-11-23T23:04:02.627000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-397864date:2022-08-12T00:00:00
db:JVNDBid:JVNDB-2021-013897date:2022-09-29T06:31:00
db:CNNVDid:CNNVD-202110-1765date:2022-08-15T00:00:00
db:NVDid:CVE-2021-41145date:2024-11-21T06:25:35.337

SOURCES RELEASE DATE

db:VULHUBid:VHN-397864date:2021-10-25T00:00:00
db:JVNDBid:JVNDB-2021-013897date:2022-09-29T00:00:00
db:CNNVDid:CNNVD-202110-1765date:2021-10-25T00:00:00
db:NVDid:CVE-2021-41145date:2021-10-25T22:15:07.777