CVE-2021-41157: 
FreeSWITCH vulnerability analysis and mitigation

FreeSWITCH versions 1.10.5 and earlier contain a security vulnerability (CVE-2021-41157) where SIP SUBSCRIBE requests are not authenticated by default. The vulnerability was discovered on June 7, 2021, and was fixed in version 1.10.7, released on October 24, 2021. This issue affects the default configuration of FreeSWITCH, a Software Defined Telecom Stack (Enable Security Advisory, GitHub Advisory).

The vulnerability stems from a configuration issue where SIP SUBSCRIBE requests are processed without requiring authentication. The issue has been assigned a CVSS v3.1 score of 5.3 (Moderate) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified under CWE-287 (Improper Authentication) (GitHub Advisory).

The vulnerability allows attackers to subscribe to user agent event notifications without authentication. This can lead to privacy breaches as attackers can monitor the status of target SIP extensions, potentially facilitating social engineering attacks. The impact primarily affects the confidentiality of user status information (GitHub Advisory).

The recommended mitigation is to upgrade to FreeSWITCH version 1.10.7 or later. It's important to note that installations upgraded from older versions to the fixed version may still be vulnerable if the configuration is not updated accordingly, as software upgrades do not automatically update the configuration files (GitHub Advisory).