Published on Mar 17, 2023 in sip security, sipvicious pro, sip security testing, security tools, opensips, kamailio, fuzzing, denial of service, research
It’s almost a year since the OpenSIPS project published a minimized version of our security audit report from 2022. Now, the full version has been published, with all the information intact on how to reproduce the vulnerabilities and extra details in an 80+ page report.
OpenSIPS is a SIP server that often has a critical security function within an IP communications system. Thus, it makes absolute sense to perform a thorough security audit for such software. We had been dealing with OpenSIPS servers from time to time in our work so we were rather familiar with the software and the project itself. Then back in January 2021, the lead developer for OpenSIPS, Bogdan-Andrei Iancu, asked us if we would be interested in doing some proper security work. Naturally, our answer was yes please!
For further background of how this happened, do watch the presentation or slides that we presented at the OpenSIPS Distributed Summit 2021, before starting the actual security audit.