Linphone, MicroSIP softphones impacted by critical vulnerabilities | SC Media
Identity and access, Threat intelligence

Linphone, MicroSIP softphones impacted by critical vulnerabilities

October 20, 2021
The Hacker News reports that threat actors could remotely exploit now-addressed security vulnerabilities in Linphone and MicroSIP softphone software to enable client crashes and exfiltrate sensitive data through phone calls. SySS GmbH researcher Moritz Abrell discovered that the softphones could be impacted by a SIP Digest Leak attack, which involves SIP INVITE message and "407 proxy authentication required" HTTP response status code delivery that would eventually result in the targeted softphone to respond with appropriate authentication data. "With this information, the attacker is able to perform an offline password guessing attack, and, if the guessing attack is successful, obtain the plaintext password of the targeted SIP account. Therefore, this vulnerability in combination with weak passwords is a significant security issue," said Abrell. Meanwhile, the Linphone SIP stack was found to have a NULL pointer dereference flaw that could be set off through a delivery of a customized SIP INVITE request. "The security level of SIP stacks still needs improvement," Abrell said.
prestitial ad