Denial of service with SIP

Advisory ID CVE Number Date discovered Severity Advisory revision
STORM-2020-002 01/28/2020 medium v1

Vulnerability details

Potential denial of service of the UTM during SIP exchanges.

Impacted products

ProductsSeverityDetail
Stormshield Network Security medium impacted

Revisions

Version Date Description
v1 01/28/2020 Initial release

 



Stormshield Network Security

CVSS v2 Overall Score: 5.3      

Analysis

Impacted version

During SIP over TCP analysis the SNS engine can freeze due to internal memory error. An attacker can potentially forge traffic in order to cause a denial of service of the UTM.

  • SNS 3.0.0 to 3.7.11
  • SNS 3.8.0 to 3.10.1
  • SNS 4.0.0 to 4.0.2

Workaround solution

Solution

Allow SIP exchanges only between trusted sources.

The SNS 3.7.12, 3.10.2 and 4.0.3 updates fix this vulnerability.



Access vector Access complexity Authentication Confidentiality impact Integrity impact Availability impact
Network Medium None None None Complete
CVSS Base score: 7.1 CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)
Exploitability Remediation Level Report Confidence
Unproven that exploit exists Official fix Confirmed
CVSS Temporal score: 5.3 CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C)
Collateral Damage Potential Target Distribution
None High [76-100%]
CVSS Environmental score: 5.3 CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C/CDP:N/TD:H/CR:ND/IR:ND/AR:ND)