Security News > 2021 > October > Critical Remote Hacking Flaws Disclosed in Linphone and MicroSIP Softphones
Multiple security vulnerabilities have been disclosed in softphone software from Linphone and MicroSIP that could be exploited by an unauthenticated remote adversary to crash the client and even extract sensitive information like password hashes by simply making a malicious call.
SIP aka Session Initiation Protocol is a signaling protocol that's used to control interactive communication sessions, such as voice, video, chat and instant messaging, as well as games and virtual reality, between endpoints, in addition to defining rules that govern the establishment and termination of each session.
A typical session in SIP commences with a user agent sending an INVITE message to a peer through SIP proxies - which are used to route requests - that, when accepted on the other end by the recipient, results in the call initiator being notified, followed by the actual data flow.
The attack devised by SySS is what's called a SIP Digest Leak, which involves sending a SIP INVITE message to the target softphone to negotiate a session followed by sending a "407 proxy authentication required" HTTP response status code, indicating the inability to complete the request because of a lack of valid authentication credentials, prompting the softphone to respond back with the necessary authentication data.
Also discovered is a NULL pointer dereference vulnerability in the Linphone SIP stack that could be triggered by an unauthenticated remote attacker by sending a specially crafted SIP INVITE request that could crash the softphone.
The disclosure is the second time a NULL pointer dereference vulnerability has been discovered in the Linphone SIP client.