CVE-2023-51443: 
FreeSWITCH vulnerability analysis and mitigation

FreeSWITCH, a Software Defined Telecom Stack, was found to be vulnerable to Denial of Service attacks prior to version 1.10.11. The vulnerability (CVE-2023-51443) was discovered on September 27, 2023, and publicly disclosed on December 22, 2023. This security flaw affects FreeSWITCH installations that rely on DTLS-SRTP for encrypted calls (GitHub Advisory, NVD).

The vulnerability stems from a race condition in the hello handshake phase of the DTLS protocol during media setup. The issue occurs when an attacker sends a ClientHello DTLS message with an invalid CipherSuite (such as TLSNULLWITHNULLNULL) to the FreeSWITCH server's port that is expecting packets from the caller. This triggers a DTLS error, resulting in the media session being torn down, followed by teardown at the signaling (SIP) level. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, Security Online).

The exploitation of this vulnerability can lead to a massive Denial of Service on vulnerable FreeSWITCH servers, specifically affecting calls that rely on DTLS-SRTP. With over 5,000 businesses globally depending on FreeSWITCH for their telephony infrastructure, the potential impact is significant (Security Online).

The vulnerability has been patched in FreeSWITCH version 1.10.11. The implemented solution drops all packets from addresses that have not been validated by an ICE check. Organizations running FreeSWITCH are strongly advised to upgrade to version 1.10.11 or later to address this security issue (NVD, GitHub Advisory).