If you're building or maintaining VoIP or multimedia communication apps using PJSIP, you need to know about CVE-2023-38703. This long-read post will take you through what happened, how it can affect your apps, and what to do about it, all in clear language. Let’s dive in.
What is PJSIP?
PJSIP is a popular open source library for creating multimedia communication software — think video calls, voice over IP (VoIP), and more. It’s mostly written in C but provides high-level APIs for C++, Java, C#, and Python. Because it’s free and very flexible, many real-time communication apps depend on it.
What is SRTP and Why Does It Matter Here?
SRTP (Secure Real-time Transport Protocol) is used in communication systems like VoIP to add security (encryption, authentication) for media streams. In PJSIP, SRTP runs as a “higher-level” transport on top of “lower-level” transports, like UDP or ICE.
Think of SRTP as adding a secure envelope around your data while it’s traveling across the internet.
CVE-2023-38703 is a use-after-free vulnerability. Here’s what that means
- When SRTP (the secure transport) is used over an underlying transport that is NOT UDP (like ICE), the two aren't kept in sync.
This leads to _use after free_ — the code tries to use something that's already gone.
Because C is a low-level language, using freed memory can cause crashes, unpredictable behavior, or let an attacker run their own code (control-flow hijack).
Here is a basic demonstration in pseudocode (not the actual PJSIP code)
// Transport setup (simplified example)
pjmedia_transport *ice = create_ice_media_transport();
pjmedia_transport *srtp = create_srtp_transport(ice);
// At some point, the ICE transport is destroyed
destroy_ice_media_transport(ice);
// SRTP, not knowing ICE is gone, tries to use it
srtp_send_packet(srtp, data, len); // Boom: use-after-free!
The underlying pointer to 'ice' is now invalid, but the SRTP layer still thinks it is alive.
Unexpected Crashes: Your app might just terminate, dropping all calls and connections.
- Possible Memory Corruption: Hackers could try to force PJSIP to access freed memory, potentially injecting or running their own code ("control flow hijack").
Denial of Service: Legitimate uses could be blocked simply by triggering this bug.
This bug doesn't affect all users, only those with the specific configuration mentioned above, but for those users, it's a real risk.
How Was It Fixed?
A patch was released in the PJSIP master branch. The core idea is to synchronize the life cycles between SRTP and its underlying transport, making sure SRTP never tries to use a transport that has already been freed.
Patch Reference
- PJSIP master commit
- Release info: https://github.com/pjsip/pjproject/security/advisories/GHSA-wj65-8qgp-h39f
How Can You Protect Your Apps?
1. Upgrade Immediately: Make sure you're using the patched version of PJSIP. Follow the links above to get the patch.
2. Double-Check Your Transport Stack: If you use SRTP together with ICE, or anything other than UDP as the lower-level transport, this bug is relevant to you.
3. Consider Static Analysis Tools: Use memory safety analysis tools like AddressSanitizer or Valgrind during development to catch use-after-free and similar bugs.
Bottom Line
CVE-2023-38703 is a serious use-after-free in PJSIP’s SRTP stack, triggered if you use something other than UDP as the underlying transport for media. It can crash your app or, in theory, let an attacker take control. The fix is now available—don’t wait to upgrade.
Further Reading
- Official PJSIP CVE-2023-38703 Advisory
- About Use-After-Free from OWASP
- SRTP Overview
- CWE-416: Use After Free
Stay safe, and always keep your multimedia libraries up to date! If you have questions, leave a comment or seek help in the PJSIP community.
*This post is exclusive content, crafted just for your deep-dive into CVE-2023-38703.*
Timeline
Published on: 10/06/2023 14:15:12 UTC
Last modified on: 10/06/2023 22:30:43 UTC