Description
PJSIP is a free and open source multimedia communication library written in C with high level API in C, C++, Java, C#, and Python languages. SRTP is a higher level media transport which is stacked upon a lower level media transport such as UDP and ICE. Currently a higher level transport is not synchronized with its lower level transport that may introduce use-after-free issue. This vulnerability affects applications that have SRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying media transport other than UDP. This vulnerability’s impact may range from unexpected application termination to control flow hijack/memory corruption. The patch is available as a commit in the master branch.
EPSS Score:
1%
EUVD-2023-42480 Technical Analysis Report
Executive Summary
EUVD-2023-42480 (CVE-2023-38703) represents a critical severity vulnerability in PJSIP, a widely-deployed multimedia communication library. The vulnerability is a use-after-free condition in the SRTP implementation that can lead to remote code execution without authentication. With a CVSS score of 9.8, this vulnerability poses significant risk to VoIP, video conferencing, and real-time communication systems across the European digital infrastructure.
1. Vulnerability Assessment and Severity Evaluation
Technical Classification
- Vulnerability Type: Use-After-Free (UAF) memory corruption
- CVSS v3.1 Score: 9.8 (Critical)
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- EPSS Score: 1% (probability of exploitation in the wild)
Severity Justification
The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates:
- Network Exploitable (AV:N): Remotely exploitable without physical access
- Low Complexity (AC:L): No special conditions required for exploitation
- No Privileges Required (PR:N): Unauthenticated exploitation possible
- No User Interaction (UI:N): Fully automated exploitation feasible
- High Impact (C:H/I:H/A:H): Complete compromise of confidentiality, integrity, and availability
Root Cause Analysis
The vulnerability stems from improper synchronization between SRTP (Secure Real-time Transport Protocol) as a higher-level media transport and its underlying lower-level transport mechanisms (e.g., ICE, custom transports). When the lower-level transport is deallocated or modified, the SRTP layer may retain dangling pointers, leading to use-after-free conditions when these pointers are subsequently dereferenced.
2. Potential Attack Vectors and Exploitation Methods
Attack Scenarios
Scenario 1: Malicious SIP/RTP Stream Injection
Attacker → Crafted SIP INVITE → Vulnerable PJSIP Server
→ Malicious RTP/SRTP packets → Trigger UAF
→ Memory corruption → Code execution
Attack Flow:
- Attacker initiates SIP session with vulnerable endpoint
- Negotiates SRTP-enabled media session
- Sends specially crafted RTP packets that trigger transport layer changes
- Exploits race condition during transport reconfiguration
- Achieves arbitrary code execution through memory corruption
Scenario 2: Man-in-the-Middle Transport Manipulation
- Attacker intercepts legitimate VoIP session
- Manipulates ICE negotiation or transport switching
- Forces premature deallocation of lower-level transport
- Triggers use-after-free through continued SRTP operations
Exploitation Complexity
Moderate to High:
- Requires understanding of PJSIP transport architecture
- Timing-dependent exploitation (race condition)
- Memory layout knowledge beneficial for reliable exploitation
- Network positioning required for MITM scenarios
Exploitation Consequences
- Remote Code Execution (RCE): Arbitrary code execution with application privileges
- Denial of Service (DoS): Application crash through memory corruption
- Information Disclosure: Memory leakage of sensitive data (encryption keys, credentials)
- Session Hijacking: Manipulation of ongoing communication sessions
3. Affected Systems and Software Versions
Vulnerable Versions
- PJSIP pjproject ≤ 2.13.1
- All versions prior to the security patch commit
6dc9b8c181aff39845f02b4626e0812820d4ef0d
Affected Configurations
Critical Requirement: Applications must have:
PJMEDIA_HAS_SRTPcompilation flag enabled- Use of non-UDP underlying media transports (ICE, custom transports)
Note: Standard UDP-only configurations are NOT vulnerable
Ecosystem Impact
PJSIP is embedded in numerous commercial and open-source products:
Enterprise Systems
- VoIP PBX Systems: Asterisk, FreeSWITCH (when using PJSIP stack)
- Unified Communications Platforms
- Contact Center Solutions
- Video Conferencing Systems
Mobile Applications
- Android/iOS VoIP Applications
- WebRTC Gateways
- SIP Softphones
IoT and Embedded Devices
- IP Phones
- Video Intercoms
- Security Camera Systems with audio
European Infrastructure Exposure
Given PJSIP's widespread adoption in telecommunications infrastructure, critical sectors at risk include:
- Healthcare telemedicine platforms
- Government communication systems
- Financial services voice authentication
- Emergency services (112/999) infrastructure
- Critical infrastructure SCADA systems with VoIP components
4. Recommended Mitigation Strategies
Immediate Actions (Priority 1)
1. Patch Application
# Update to patched version
git clone https://github.com/pjsip/pjproject.git
cd pjproject
git checkout 6dc9b8c181aff39845f02b4626e0812820d4ef0d
./configure && make dep && make
For Debian-based Systems:
apt-get update
apt-get upgrade pjproject
# Ensure version > 2.13.1
2. Vulnerability Assessment
# Check if SRTP is enabled in your build
grep -r "PJMEDIA_HAS_SRTP" /path/to/pjsip/config_site.h
# Identify transport configuration
# Review application code for non-UDP transports
3. Network Segmentation
- Isolate VoIP infrastructure behind firewalls
- Implement strict SIP/RTP access control lists
- Deploy Session Border Controllers (SBCs) with deep packet inspection
Short-term Mitigations (Priority 2)
Configuration Hardening
// If SRTP not required, disable at compile time
#define PJMEDIA_HAS_SRTP 0
// Enforce UDP-only transport
pjsua_transport_config cfg;
pjsua_transport_config_default(&cfg);
cfg.port = 5060;
pjsua_transport_create(PJSIP_TRANSPORT_UDP, &cfg, NULL);
Runtime Protections
- Enable Address Space Layout Randomization (ASLR)
- Deploy Stack Canaries and Control Flow Integrity (CFI)
- Implement memory-safe allocators (e.g., tcmalloc with guards)
Long-term Strategic Measures (Priority 3)
-
Dependency Management:
- Implement Software Bill of Materials (SBOM)
- Automated vulnerability scanning in CI/CD pipelines
- Subscribe to PJSIP security advisories
-
Security Architecture:
- Migrate to memory-safe language implementations where feasible
- Implement defense-in-depth with multiple security layers
- Regular penetration testing of VoIP infrastructure
-
Monitoring and Detection:
# IDS/IPS signatures for exploitation attempts - Unusual RTP packet patterns - Rapid transport renegotiation - Abnormal SIP INVITE sequences - Application crashes in SRTP handling -
Incident Response Preparation:
- Develop VoIP-specific incident response playbooks
- Establish communication channel redundancy
- Maintain offline backup communication systems
5. Impact on European Cybersecurity Landscape
Regulatory Compliance Implications
NIS2 Directive Considerations
- Essential Entities: Telecommunications providers must report incidents within 24 hours
- Important Entities: Digital service providers face similar obligations
- Risk Management: Vulnerability represents supply chain security risk requiring assessment
GDPR Implications
- Potential for unauthorized access to voice communications (personal data)
- Data