Select Page

As many as five security vulnerabilities have been disclosed in the PJSIP open-source multimedia communication library that could be abused by an attacker to trigger arbitrary code execution and denial-of-service (DoS) in applications that use the protocol stack.

The weaknesses were identified and reported by JFrog’s Security Research team, following which the project maintainers released patches (version 2.12) last week on February 24, 2022.

PJSIP is an open-source embedded SIP protocol suite written in C that supports audio, video, and instant messaging features for popular communication platforms such as WhatsApp and BlueJeans. It’s also used by Asterisk, a widely-used private branch exchange (PBX) switching system for VoIP networks.

“Buffers used in PJSIP typically have limited sizes, especially the ones allocated in the stack or supplied by the application, however in several places, we do not check if our usage can exceed the sizes,” PJSIP’s developer Sauw Ming noted in an advisory posted on GitHub last month, a scenario that could result in buffer overflows.

images from Hacker News