OpenSIPS Security Audit, fully disclosed

If almost one year ago we were releasing the first results of the security audit performed by of Enable Security over the OpenSIPS 3.2 code, now is the right time for the full disclosure.

What was missing?

As per the initial post, we hold back all the information about how to reproduce the crashes. Why? We wanted to give all our user a more than fair chance to protect themselves from any kind of malicious attacks based on the information disclosed in this report.

So we put ~1 year between the original brief results and the time to publish the full report.

And now is the time for the full report, detailing, for each found issue:

  • bracktrace for the crash
  • explanation of the crash
  • detailed instructions on how to be reproduced

There are more then 50 pages of detailed information, thanks to the tremendous work done by the Enable Security team.

Work in progress

Right now, with all the information being public, we will have to complete some final steps

  • GITHUB Security Advisories – we will go back to all the GIT commits related to the audit and properly fill in the data in the mentioned security advisories – in this way, the commits with the fixes will be directly linked to the detailed description of the issue.
  • request CVEs – for all the items found, we will create public CVE’s to really help devops / engineers to upgrade.

More ?

More on security, testing and performance of OpenSIPS will be presented during the OpenSIPS Summit 2023 in Houston.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s