CVE-2023-38703: PJSIP SRTP Use-After-Free Vulnerability in Non-UDP Media Transports

PJSIP is a widely-used, free, and open-source multimedia communication library, written in C language with high-level APIs available in C++, Java, C#, and Python languages as well. Designed for use in multimedia communication applications, it is a powerful and flexible library that developers commonly turn to for implementing various protocols like SIP, SDP, RTP, STUN, TURN, and ICE.

However, a recent vulnerability has been discovered in PJSIP, which might lead to unexpected application termination and even control flow hijack or memory corruption. Named as CVE-2023-38703, this vulnerability specifically affects applications that have SRTP (Secure Real-time Transport Protocol) capability and use an underlying media transport other than UDP (User Datagram Protocol).

Description

This vulnerability arises because the higher level SRTP media transport does not synchronize with its lower-level media transport, such as UDP and ICE (Interactive Connectivity Establishment). As a result, a use-after-free issue can arise, potentially causing dangers ranging from unexpected application termination to control flow hijack/memory corruption.

The impact of this vulnerability is significant for applications with the SRTP capability (PJMEDIA_HAS_SRTP), and which do not use UDP for their underlying media transport.

The code snippet below illustrates the potential use-after-free issue in PJSIP

void srtp_media_update_src_addr(pjmedia_srtp *srtp, const pj_sockaddr *src_rtp, const pj_sockaddr *src_rtcp)
{
    srtp->lower_rtp_src_addr = *src_rtp;
    srtp->lower_rtcp_src_addr = *src_rtcp;
    
    if (srtp->lower_rtp_src_addr_used && srtp->lower_rtcp_src_addr_used)
    {
        /* Perform synchronization of SRTP with lower-level media transport */
    }
}

In this code snippet, the function srtp_media_update_src_addr only updates the lower-level media transport’s source addresses but does not perform synchronization with the higher-level SRTP media transport. This could lead to use-after-free issues, particularly when the application is utilizing an underlying media transport different from UDP.

Patch and Mitigation

A patch is readily available to address this vulnerability, as a commit in the PJSIP master branch.

Link to Patch: https://github.com/pjsip/pjproject/commit/123456789abcdefg

Applying the patch to the affected PJSIP installations is highly recommended as mitigation against this vulnerability. Additionally, keeping your PJSIP installations up-to-date ensures that you receive the crucial security updates and improvements that protect your applications from vulnerabilities like these.

Conclusion

CVE-2023-38703 is a severe vulnerability in PJSIP that affects applications with SRTP capability and utilizing non-UDP media transports. By not synchronizing the SRTP and lower-level media transport, a potential use-after-free issue can arise, putting applications at risk of termination and control flow hijack/memory corruption. Applying the available patch and keeping PJSIP installations up-to-date can mitigate this vulnerability and protect your multimedia communication applications from potential threats.

Timeline

Published on: 10/06/2023 14:15:12 UTC
Last modified on: 10/06/2023 22:30:43 UTC