CVE-2021-37624
HIGHEPSS 88th pctlDescription
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, FreeSWITCH does not authenticate SIP MESSAGE requests, leading to spam and message spoofing. By default, SIP requests of the type MESSAGE (RFC 3428) are not authenticated in the affected versions of FreeSWITCH. MESSAGE requests are relayed to SIP user agents registered with the FreeSWITCH server without requiring any authentication. Although this behaviour can be changed by setting the `auth-messages` parameter to `true`, it is not the default setting. Abuse of this security issue allows attackers to send SIP MESSAGE messages to any SIP user agent that is registered with the server without requiring authentication. Additionally, since no authentication is required, chat messages can be spoofed to appear to come from trusted entities. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. This issue is patched in version 1.10.7. Maintainers recommend that this SIP message type is authenticated by default so that FreeSWITCH administrators do not need to be explicitly set the `auth-messages` parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication.
How to fix
Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.
CVSS v3 Vector
Exploitability
Impact
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Exploit Intelligence
Elevated risk: more likely to be exploited than 88% of all known CVEs.
References
Related Vulnerabilities
Other CWE-287 (Improper Authentication) vulnerabilities, ordered by exploit likelihood. View all
| CVE | Severity | CVSS | EPSS | Exploited | Fix |
|---|---|---|---|---|---|
| CVE-2023-35082 | Critical | 9.8 | 100% | KEV + Ransom | Fix |
| CVE-2023-35078 | Critical | 9.8 | 100% | KEV + Ransom | Fix |
| CVE-2017-7921 | Critical | 9.8 | 100% | KEV | - |
| CVE-2024-7593 | Critical | 9.8 | 100% | KEV | - |
| CVE-2023-46805 | High | 8.2 | 100% | KEV + Ransom | - |
| CVE-2022-40684 | Critical | 9.8 | 100% | KEV + Ransom | Fix |
Embed a live status badge for CVE-2021-37624
Markdown
[](https://tridentstack.com/cve/CVE-2021-37624)HTML
<a href="https://tridentstack.com/cve/CVE-2021-37624"><img src="https://tridentstack.com/cve/badge/CVE-2021-37624.svg" alt="CVE-2021-37624"></a>Find and fix vulnerabilities across your fleet
TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Start freeThis product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2024-11-21.