CVE-2023-40019

Summary

CVE-2023-40019 is a vulnerability found in FreeSWITCH, a Software Defined Telecom Stack used for digital transformation of telecom switches. This vulnerability affects versions prior to 1.10.10 and allows authorized users to initiate a denial of service attack by sending re-INVITE with Session Description Protocol (SDP) containing duplicate codec names. When FreeSWITCH completes codec negotiation, the system sets the `codec_string` channel variable with the negotiation result. In subsequent re-negotiations, if an SDP is offered with codecs having the same names but different formats, it can cause an overflow in FreeSWITCH's internal arrays, leading to system crashes or undefined behavior. The affected products include Qtq_OR, t0KDpL, t0KDpM, and several others. To remediate this vulnerability, users should update to version 1.10.10 that includes a patch for this issue. This vulnerability has a base severity rating of MEDIUM and can be exploited with low privileges required over a network connection, potentially impacting the availability of the system.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.