CVE-2023-40019

CVSS 3.1 Score 6.5 of 10 (medium)

Details

Published Sep 15, 2023
Updated: Sep 21, 2023
CWE ID 770

Summary

CVE-2023-40019 is a vulnerability found in FreeSWITCH, a Software Defined Telecom Stack used for digital transformation of telecom switches. This vulnerability affects versions prior to 1.10.10 and allows authorized users to initiate a denial of service attack by sending re-INVITE with Session Description Protocol (SDP) containing duplicate codec names. When FreeSWITCH completes codec negotiation, the system sets the `codec_string` channel variable with the negotiation result. In subsequent re-negotiations, if an SDP is offered with codecs having the same names but different formats, it can cause an overflow in FreeSWITCH's internal arrays, leading to system crashes or undefined behavior. The affected products include Qtq_OR, t0KDpL, t0KDpM, and several others. To remediate this vulnerability, users should update to version 1.10.10 that includes a patch for this issue. This vulnerability has a base severity rating of MEDIUM and can be exploited with low privileges required over a network connection, potentially impacting the availability of the system.

Share

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2023-40019 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options