Claroty has just disclosed a vulnerability affecting Belledonne Communications’ Linphone SIP Protocol Stack.
During the course of its research, Claroty found a null pointer dereference vulnerability in the Linphone belle-sip component that is remotely exploitable, requiring no action from the victim. This is a dangerous zero-click attack requiring only an invalid SIP message header to be sent that would crash the client and create a denial-of-service condition.
Exploits targeting IoT vulnerabilities have demonstrated they can provide an effective foothold onto enterprise networks. A flaw in a foundational protocol such as the SIP stack in VoIP phones and applications can be especially troublesome given the scale and reach shown by attacks against numerous other third-party components used by developers in software projects.
Since many networks are a mix of operational technology and internet of things (IoT) devices, it makes sense to analyse these connected physical systems from a research perspective. The risk any IoT vulnerability poses can be substantial, and every day we’re seeing more evidence of attackers and researchers demonstrating ways to leverage that connectivity to either exploit a device directly or move laterally through a network.
One common IoT use case prevalent inside the enterprise, and home networks, is voice and video devices. Today, this goes well beyond just a VoIP phone to include surveillance cameras, and even connected doorbells that record video as part of an overall security system. Protocols such as the Session Initiation Protocol (SIP) are the foundation of these devices and are used to facilitate message transport. As part of Team82’s research, we have been examining different SIP-based platforms and related software, including the Linphone SIP client suite.
VoIP messages and calls are made over an IP network rather than over traditional public switched telephone networks (PSTN). Messages are sent using control protocols, such as SIP, the Skinny Client Control Protocol (SCCP), or various others that are proprietary. Many VoIP services are free and convenient for users, but a compromise of such a service can give an attacker a foothold onto a corporate network and possibly the IoT/OT network. One example would be modern security cameras and doorbells that use VoIP protocols to transfer audio data when initiating a “call” with an IoT device.
Now Team82 has found a null pointer dereference vulnerability in the Linphone belle-sip component. Belle-sip is a C library with an object-oriented API used to implement SIP transport, transaction, and dialog layers; there’s also a HTTP/HTTPS client implementation. The vulnerability is remotely exploitable, requiring no action from the victim. This is a dangerous zero-click attack requiring only an invalid SIP message header to be sent that would crash the client and create a denial-of-service condition.
All belle-sip versions prior to v 4.5.20 in Linphone and likely other similar products, are affected. The vulnerability was fixed in v4.5.20 of the SIP protocol stack (Commit with the fix). As with most third-party components, patching the core protocol stack is the right first step, but those updates must be applied downstream as well by vendors using the affected SIP stack in their respective products. Linphone’s website, for example, cites close to 30 reference customers, including some giants such as BT, Acer, and Swisscom, all of whom develop VoIP applications with Linphone at their core.