CVE-2023-40019: 
FreeSWITCH vulnerability analysis and mitigation

FreeSWITCH, a Software Defined Telecom Stack, was found to be vulnerable to a denial of service attack prior to version 1.10.10. The vulnerability (CVE-2023-40019) was discovered and disclosed in September 2023, affecting all versions up to 1.10.9. The issue allows authorized users to cause a denial of service by sending re-INVITE with SDP containing duplicate codec names (GitHub Advisory, NVD).

When a call in FreeSWITCH completes codec negotiation, the codec_string channel variable is set with the result of the negotiation. On a subsequent re-negotiation, if an SDP is offered that contains codecs with the same names but with different formats, there may be too many codec matches detected by FreeSWITCH leading to overflows of its internal arrays. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

By exploiting this vulnerability, an attacker can corrupt the stack of FreeSWITCH, leading to undefined behavior of the system or causing it to crash. The primary impact is on system availability, with no direct effect on confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in FreeSWITCH version 1.10.10. Users are strongly encouraged to upgrade to this version or later to address the security issue. The fix was part of a major release that included critical security fixes and other improvements (GitHub Release).