Community

Community.Security-Audit History

Hide minor edits - Show changes to markup

April 28, 2022, at 06:00 PM by 109.99.227.30 -
Changed lines 7-8 from:

The Security Audit is completed! [[ https://blog.opensips.org/2022/04/28/opensips-security-audit-facts-and-results/|A lot of fuzzing, testing and of course fixing]]. Everything just to make OpenSIPS more secure.

to:

The Security Audit is completed! A lot of fuzzing, testing and of course fixing. Everything just to make OpenSIPS more secure.

Restore
April 28, 2022, at 06:00 PM by 109.99.227.30 -
Changed lines 7-8 from:

The fund raising is completed, thanks to the generous contributions we received from all over our community!!! Now it is to start the audit process, updates will follow here.

to:

The Security Audit is completed! [[ https://blog.opensips.org/2022/04/28/opensips-security-audit-facts-and-results/|A lot of fuzzing, testing and of course fixing]]. Everything just to make OpenSIPS more secure.

Restore
September 22, 2021, at 02:31 PM by 213.233.108.66 -
Added lines 4-13:


The fund raising is completed, thanks to the generous contributions we received from all over our community!!! Now it is to start the audit process, updates will follow here.

Restore
September 14, 2021, at 09:33 AM by 109.99.227.30 -
Changed line 91 from:
13.09.2021Antonis Psaras / Microbase SA1200 USDWire Transfer
to:
13.09.2021Antonis Psaras / Microbase P.C.1200 USDWire Transfer
Restore
September 14, 2021, at 08:54 AM by 109.99.227.30 -
Changed line 47 from:

Collected amount at 9th of Sept 2021 : $27,220\\

to:

Collected amount at 13th of Sept 2021 : $27,220\\

Restore
September 14, 2021, at 08:53 AM by 109.99.227.30 -
Changed lines 47-49 from:

Collected amount at 9th of Sept 2021 : $26,020
Remaining to collect : -2020$ :)

to:

Collected amount at 9th of Sept 2021 : $27,220
Remaining to collect : -3220$ :)

Added line 91:
13.09.2021Antonis Psaras / Microbase SA1200 USDWire Transfer
Restore
September 10, 2021, at 04:23 PM by 109.99.227.30 -
Changed lines 47-49 from:

Collected amount at 9th of Sept 2021 : $24,660
Remaining to collect : -660$ :)

to:

Collected amount at 9th of Sept 2021 : $26,020
Remaining to collect : -2020$ :)

Changed line 90 from:
to:
10.09.2021Real World Group1360 USDGoFundMe
Restore
September 09, 2021, at 03:53 PM by 109.98.32.238 -
Changed line 84 from:
08.09.2021Adam Jeffery20 USDGoFundMe
to:
08.09.2021Adam Jeffery20 USDGoFundMe
Changed line 87 from:
09.09.2021Umar Sear100 USDGoFundMe
to:
09.09.2021Umar Sear100 USDGoFundMe
Restore
September 09, 2021, at 03:50 PM by 109.98.32.238 -
Changed lines 47-49 from:

Collected amount at 9th of Sept 2021 : $23,660
Remaining to collect : 340$

to:

Collected amount at 9th of Sept 2021 : $24,660
Remaining to collect : -660$ :)

Added line 83:
08.09.2021OpenSIPS Solutions1000 USDPayPal
Restore
September 09, 2021, at 03:49 PM by 109.98.32.238 -
Changed lines 47-49 from:

Collected amount at 7th of Sept 2021 : $22,640
Remaining to collect : $1,360

to:

Collected amount at 9th of Sept 2021 : $23,660
Remaining to collect : 340$

Changed lines 83-89 from:
08.09.2021OpenSIPS Solutions1000 USDPayPal
to:
08.09.2021Adam Jeffery20 USDGoFundMe
08.09.2021Jonathan Abrams250 USDGoFundMe
09.09.2021Simon Devine500 USDGoFundMe
09.09.2021Umar Sear100 USDGoFundMe
09.09.2021QXIP BV1000 USDGoFundMe
09.09.2021Airbytes Communications Limited150 USDPayPal
Restore
September 08, 2021, at 08:04 PM by 109.98.32.238 -
Changed lines 47-49 from:

Collected amount at 7th of Sept 2021 : $20,640
Remaining to collect : $3,360

to:

Collected amount at 7th of Sept 2021 : $22,640
Remaining to collect : $1,360

Added lines 82-83:
08.09.2021Voicenter / Shlomi Gutman1000 USDPayPal
08.09.2021OpenSIPS Solutions1000 USDPayPal
Restore
September 08, 2021, at 07:51 PM by 109.98.32.238 -
Changed lines 47-49 from:

Collected amount at 7th of Sept 2021 : $20,390
Remaining to collect : $3,610

to:

Collected amount at 7th of Sept 2021 : $20,640
Remaining to collect : $3,360

Added lines 80-81:
08.09.2021Sumit Birla100 USDGoFundMe
08.09.2021David Duffett150 USDGoFundMe
Restore
September 08, 2021, at 07:25 PM by 109.98.32.238 -
Changed lines 47-49 from:

Collected amount at 7th of Sept 2021 : $19,390
Remaining to collect : $4,610

to:

Collected amount at 7th of Sept 2021 : $20,390
Remaining to collect : $3,610

Added line 79:
08.09.2021Maxim Sobolev / Sippy Software1000 USDPayPal
Restore
September 07, 2021, at 06:19 PM by 109.98.32.238 -
Changed lines 47-49 from:

Collected amount at 7th of Sept 2021 : $18,890
Remaining to collect : $5,110

to:

Collected amount at 7th of Sept 2021 : $19,390
Remaining to collect : $4,610

Changed lines 76-77 from:
26.07.2021Vasilios Tzanoudakis / Voiceland SA1000 USDWire Transfer
07.08.2021Alexey Vasilyev100 USDPayPal
to:
26.08.2021Vasilios Tzanoudakis / Voiceland SA1000 USDWire Transfer
07.09.2021Alexey Vasilyev100 USDPayPal
07.09.2021Jarrod Baumann500 USDPayPal
Restore
September 07, 2021, at 12:13 PM by 109.98.32.238 -
Changed lines 47-49 from:

Collected amount at 22nd of July 2021 : $17,790
Remaining to collect : $6,210

to:

Collected amount at 7th of Sept 2021 : $18,890
Remaining to collect : $5,110

Added lines 76-77:
26.07.2021Vasilios Tzanoudakis / Voiceland SA1000 USDWire Transfer
07.08.2021Alexey Vasilyev100 USDPayPal
Restore
July 27, 2021, at 10:32 AM by 92.80.252.98 -
Changed lines 47-49 from:

Collected amount at 22nd of July 2021 : $13,290
Remaining to collect : $10,710

to:

Collected amount at 22nd of July 2021 : $17,790
Remaining to collect : $6,210

Added line 75:
26.07.2021OpenSIPS Friends4500 USDWire Transfer
Restore
July 23, 2021, at 03:57 PM by 109.99.227.30 -
Changed lines 47-48 from:

Collected amount at 17th of July 2021 : $11,890
Remaining to collect : $12,110\\

to:

Collected amount at 22nd of July 2021 : $13,290
Remaining to collect : $10,710\\

Restore
July 23, 2021, at 03:56 PM by 109.99.227.30 -
Added lines 73-74:
22.07.2021Axeos Services BV1200 USDWire Transfer
22.07.2021Maksym Sobolyev200 USDPayPal
Restore
July 19, 2021, at 03:10 PM by 109.99.227.30 -
Changed lines 47-49 from:

Collected amount at 4th of July 2021 : $11,690
Remaining to collect : $12,310

to:

Collected amount at 17th of July 2021 : $11,890
Remaining to collect : $12,110

Added lines 71-72:
16.07.2021Ivan Poddubnyi100 USDGoFundMe
17.07.2021Ameed Jamous / TelecomsXChange100 USDPayPal
Restore
July 06, 2021, at 09:30 AM by 109.99.227.30 -
Changed lines 47-49 from:

Collected amount at 4th of July 2021 : $11,540
Remaining to collect : $12,460

to:

Collected amount at 4th of July 2021 : $11,690
Remaining to collect : $12,310

Added line 70:
05.07.2021X-on Surgery Connect150 USDGoFundMe
Restore
July 05, 2021, at 09:36 AM by 109.99.227.30 -
Changed lines 47-49 from:

Collected amount at 1st of July 2021 : $9,540
Remaining to collect : $14,460

to:

Collected amount at 4th of July 2021 : $11,540
Remaining to collect : $12,460

Added line 69:
04.07.2021Andrew Yager2000 USDGoFundMe
Restore
July 01, 2021, at 05:34 PM by 109.99.227.30 -
Changed line 47 from:

Collected amount at 28th of June 2021 : $9,540\\

to:

Collected amount at 1st of July 2021 : $9,540\\

Restore
July 01, 2021, at 05:33 PM by 109.99.227.30 -
Changed lines 47-49 from:

Collected amount at 28th of June 2021 : $6,440
Remaining to collect : $17,560

to:

Collected amount at 28th of June 2021 : $9,540
Remaining to collect : $14,460

Added lines 66-68:
30.06.2021Mike Tesliuk100 USDGoFundMe
01.07.2021Peter Kelly1000 USDGoFundMe
01.07.2021Bernard Buitenhuis / MaxiTel2000 USDWire Transfer
Restore
June 28, 2021, at 06:49 PM by 109.98.32.238 -
Changed line 75 from:
  • check our public fund raising via the GoFundMe platform. Here the target will be dynamically updated according the overall collected amount, via ll the channels
to:
  • check our public fund raising via the GoFundMe platform. Here the target will be dynamically updated according to the overall collected amount, via all the channels
Restore
June 28, 2021, at 06:49 PM by 109.98.32.238 -
Changed line 75 from:
  • check our public fund raising via the GoFundMe platform
to:
  • check our public fund raising via the GoFundMe platform. Here the target will be dynamically updated according the overall collected amount, via ll the channels
Restore
June 28, 2021, at 09:55 AM by 109.99.227.30 -
Changed lines 47-49 from:

Collected amount at 24th of June 2021 : $6,240
Remaining to collect : $17,760

to:

Collected amount at 28th of June 2021 : $6,440
Remaining to collect : $17,560

Added line 65:
27.06.2021Sharad Kumar200 USDGoFundMe
Restore
June 25, 2021, at 10:18 AM by 109.99.227.30 -
Changed lines 47-49 from:

Collected amount at 24th of June 2021 : $6,140
Remaining to collect : $17,860

to:

Collected amount at 24th of June 2021 : $6,240
Remaining to collect : $17,760

Changed line 57 from:
24.06.2021Lounis Goudjil/Manifone1000 USDGoFundMe
to:
24.06.2021Lounis Goudjil / Manifone1000 USDGoFundMe
Added line 64:
25.06.2021Dioris Moreno / Libereco Systems100 USDPayPal
Restore
June 25, 2021, at 08:54 AM by 109.99.227.30 -
Deleted lines 48-49:

(:progress 6140/24000:)

Restore
June 25, 2021, at 08:53 AM by 109.99.227.30 -
Added line 50:

(:progress 6140/24000:)

Restore
June 25, 2021, at 08:45 AM by 109.99.227.30 -
Changed lines 47-50 from:

Collected amount at 24th of June 2021 : $2,820
Remaining to collect : $21,180

to:

Collected amount at 24th of June 2021 : $6,140
Remaining to collect : $17,860

Added line 55:
24.06.2021OpenSIPS Solutions2000 USDPayPal
Added lines 61-64:
24.06.2021Dave Horton100 USDGoFundMe
24.06.2021Mickael Hubert120 USDPayPal
24.06.2021Connex Carrier Services (Worldwide) Limited1000 USDPayPal
25.06.2021Mayama Takeshi100 USDGoFundMe
Restore
June 24, 2021, at 03:21 PM by 109.99.227.30 -
Changed lines 47-50 from:

Collected amount at 24th of June 2021 : $2,620
Remaining to collect : $21,380

to:

Collected amount at 24th of June 2021 : $2,820
Remaining to collect : $21,180

Added lines 58-59:
24.06.2021Anonymous100 USDGoFundMe
24.06.2021Jose Alexandre Ferreira100 USDPayPal
Restore
June 24, 2021, at 12:42 PM by 109.99.227.30 -
Changed lines 47-50 from:

Collected amount at 24th of June 2021 : $0
Remaining to collect : $24,000

to:

Collected amount at 24th of June 2021 : $2,620
Remaining to collect : $21,380

Changed lines 52-53 from:
to:
DateNameAmountChannel
24.06.2021Flavio Goncalves1000 USDPayPal
24.06.2021OFFICErING SUPPORT500 USDGoFundMe
24.06.2021Giovanni Maruzzelli120 USDPayPal
24.06.2021Lounis Goudjil/Manifone1000 USDGoFundMe
Restore
June 24, 2021, at 11:08 AM by 109.99.227.30 -
Changed lines 5-6 from:

The Audit is an Open project - the results will be public and the all the derived fixes and enhancements will be of the benefit of the entire community- they will go into the public project/code. Nevertheless, the success of this endeavor highly depends on the support and sponsoring of the community.

to:

The Audit is an Open project - the results will be public and the all the derived fixes and enhancements will be of the benefit of the entire community- they will go into the public project/code.
Nevertheless, the success of this endeavor highly depends on the support and sponsoring of the community.

Restore
June 24, 2021, at 11:07 AM by 109.99.227.30 -
Changed line 5 from:

The Audit is an Open project - the results will be public and the all the derived fixes and enhancements will be of the benefit of the entire community- they will go into the public project/code.

to:

The Audit is an Open project - the results will be public and the all the derived fixes and enhancements will be of the benefit of the entire community- they will go into the public project/code. Nevertheless, the success of this endeavor highly depends on the support and sponsoring of the community.

Restore
June 24, 2021, at 11:02 AM by 109.99.227.30 -
Added lines 7-11:

(:table border=0 cellpadding=5 cellspacing=0 width=100% :)

(:cell width=70%:)

Added lines 44-56:

The current status

Collected amount at 24th of June 2021 : $0
Remaining to collect : $24,000

Our Sponsors:

(:cell width=30%:)

Changed lines 69-79 from:

The current status

Collected amount at 24th of June 2021 : $0
Remaining to collect : $24,000

Our Sponsors:

to:

(:tableend:)

Restore
June 24, 2021, at 10:48 AM by 109.99.227.30 -
Changed line 50 from:

For any other information, please do not hesitate to contact us? !

to:

For any other information, please do not hesitate to contact us !

Changed lines 54-56 from:

Collected amount at 24th of June 2021 : $0 Remaining to collect : $24,000

to:

Collected amount at 24th of June 2021 : $0
Remaining to collect : $24,000

Added line 60:
Restore
June 24, 2021, at 10:46 AM by 109.99.227.30 -
Added lines 1-62:
Community -> The Security Audit

Following the OpenSIPS 3.2 major release (LTS), based on the community feedback, the decision of performing a professional security audit was taken. This security audit is based on the concept of White box Penetration Testing and it will be managed at the project level, with the help of community, for the benefits of the community. The Audit is an Open project - the results will be public and the all the derived fixes and enhancements will be of the benefit of the entire community- they will go into the public project/code.

Why a security audit

OpenSIPS is one of the most used Open Source SIP Servers, used in thousands of deployments, for various purposes / scenarios. But one factor stands in all these cases - the security of your OpenSIPS, how reliable it is, how vulnerable it is or how robust it is to external attacks or to bogus traffic. These security concerns are very important, in all the OpenSIPS deployment cases, as they exceed the boundary of the operator itself, impacting the end user or the external parties connecting into the operator's OpenSIPS - we all know this when comes to service SLAs.

So far there was an attempt to individually address this security concerns (by private testing), but the effort is high and not shared, so the overall efficiency is rather small. The proper answer is an collective public effort, with public benefits for all.

The goals of this audit

The work aims to uncover critical vulnerabilities within some of the most exposed code in OpenSIPS. Enable Security will be using proven techniques, including instrumented fuzzing, black box fuzzing, manual code review and security testing with their toolset, SIPVicious PRO in a concentrated effort to discover security issues within the project.

The actual work includes development of automated tests, and fuzzing harness code as well as manual testing to identify vulnerabilities such as memory corruption issues, logic issues especially those that may lead to authentication bypass and denial of service vulnerabilities. The identification of such vulnerabilities will allow OpenSIPS to address these bugs which in turn will help the project become an even more robust and secure solution.

Enable Security is known for having dedicated RTC security expertise through its various bug reports, research publications, presentations and other resources that are compiled as part of their contributions to the community and the RTC world. In this case, Enable Security would be focusing on a security audit on OpenSIPS as they do within their commercial security services, thus making a dedicated effort to identify more than just _low hanging fruit_ security issues.

Apart from a technical report with full details of their exploits and methodology, their aim is to provide the community with contributions to the OpenSIPS project so that it can be integrated within the OSS-Fuzz project and other automated quality assurance processes. This will ensure that OpenSIPS can be easily tested for security vulnerabilities that may be introduced in future updates.

How it will be done

The developing team of OpenSIPS worked out together with the Enable Security's team what are the parts of OpenSIPS to be subject to Pen Tests. This decision was taken based on the (1) potential vulnerability of certain parts of the code and (2) the testing / fuzzing possibilities.

We already worked out an commercial agreement with Enable Security for running the Security Audit. And we do appreciate all the help and support from they side, considering the fact that we are a non-commercial Open Source Project.

Based on this agreement, we, as OpenSIPS Project, will have to raise the amount for 24,000 USD. This has to be an collective effort of all the people, companies or other entities which are using OpenSIPS and value the safety and reliability of their OpenSIPS deployments.

Once the amount is fully raise, Enable Security will proceed with performing all the White Box Pen Tests under the commercial agreement. The results of this testing will go public, to the benefits of the entire community.

We, as developers and maintainers of OpenSIPS Project will take on the job of working out the fixes for the potential issues revealed by the testing.

Get involved by sponsoring

As said, this is a community effort, for the community's benefit.

So, please be part of this effort and sponsor this Security Audit work. There are multiple ways of doing that:

  • check our public fund raising via the GoFundMe platform
  • use our official paypal account to donate, paypal@opensips.org . Let us know if you need any info or support, we can generate custom PayPal request on demand
  • let us know if you are considering a wire transfer (bank account), we can assist that, with proper invoicing

All our sponsors, tiny or generous, will be publicly listed here, as a sign of gratitude for their contribution.

For any other information, please do not hesitate to contact us? !

The current status

Collected amount at 24th of June 2021 : $0 Remaining to collect : $24,000

Our Sponsors:

Copyright 2021, The OpenSIPS Project

Restore
Edit | History | Print | Recent Changes | Search
Page last modified on April 28, 2022, at 06:00 PM