Identity, Threat Management

Linphone, MicroSIP softphones impacted by critical vulnerabilities

The Hacker News reports that threat actors could remotely exploit now-addressed security vulnerabilities in Linphone and MicroSIP softphone software to enable client crashes and exfiltrate sensitive data through phone calls. SySS GmbH researcher Moritz Abrell discovered that the softphones could be impacted by a SIP Digest Leak attack, which involves SIP INVITE message and "407 proxy authentication required" HTTP response status code delivery that would eventually result in the targeted softphone to respond with appropriate authentication data. "With this information, the attacker is able to perform an offline password guessing attack, and, if the guessing attack is successful, obtain the plaintext password of the targeted SIP account. Therefore, this vulnerability in combination with weak passwords is a significant security issue," said Abrell. Meanwhile, the Linphone SIP stack was found to have a NULL pointer dereference flaw that could be set off through a delivery of a customized SIP INVITE request. "The security level of SIP stacks still needs improvement," Abrell said.

Related

More data broker regulation needed in draft privacy bill

More protections against data brokers were urged by lawmakers and data privacy experts to be added to the draft American Privacy Rights Act, which would only allow the deletion of consumer data provided that individual requests are made to the data brokers, reports The Record, a news site by cybersecurity firm Recorded Future.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.