Security News > 2022 > March > RCE Bugs in Hugely Popular VoIP Apps: Patch Now!
Some of the world's most popular communication apps are using an open-source library riddled with newfound security holes.
The library, PJSIP - an open-source multimedia communication library - is used by Asterisk.
On Monday, devops platform provider JFrog Security disclosed five memory-corruption vulnerabilities in PJSIP, which supplies an API that can be used by IP telephony applications such as VoIP phones and conference apps.
In its technical breakdown, JFrog researchers explained that the PJSIP framework offers a library named PJSUA that supplies an API for SIP applications.
"If exploited, such vulnerabilities would have let attackers crash apps using the implementation, by merely placing a video call," noted Ronen Slavin, then head of research at Reason Cybersecurity and currently the co-founder and CTO at the source code control, detection, and response platform Cycode, back in 2019.
The pandemic has been gas on the fire when it comes to virtual connections: all the more reason to heed JFrog's advice and patch ASAP. 030222 08:25 UPDATE: A WhatsApp representative told Threatpost that the app doesn't use the PJSIP library, contrary to original reporting.
News URL
https://threatpost.com/rce-bugs-popular-voip-apps-patch-now/178719/
Related news
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- Exploit released for critical WhatsUp Gold RCE flaw, patch now (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)