openSIPS | Community / Security-Audit

Community -> The Security Audit

The Security Audit is completed! A lot of fuzzing, testing and of course fixing. Everything just to make OpenSIPS more secure.

Following the OpenSIPS 3.2 major release (LTS), based on the community feedback, the decision of performing a professional security audit was taken. This security audit is based on the concept of White box Penetration Testing and it will be managed at the project level, with the help of community, for the benefits of the community. The Audit is an Open project - the results will be public and the all the derived fixes and enhancements will be of the benefit of the entire community- they will go into the public project/code.
Nevertheless, the success of this endeavor highly depends on the support and sponsoring of the community.

Why a security audit

OpenSIPS is one of the most used Open Source SIP Servers, used in thousands of deployments, for various purposes / scenarios. But one factor stands in all these cases - the security of your OpenSIPS, how reliable it is, how vulnerable it is or how robust it is to external attacks or to bogus traffic. These security concerns are very important, in all the OpenSIPS deployment cases, as they exceed the boundary of the operator itself, impacting the end user or the external parties connecting into the operator's OpenSIPS - we all know this when comes to service SLAs.

So far there was an attempt to individually address this security concerns (by private testing), but the effort is high and not shared, so the overall efficiency is rather small. The proper answer is an collective public effort, with public benefits for all.

The goals of this audit

The work aims to uncover critical vulnerabilities within some of the most exposed code in OpenSIPS. Enable Security will be using proven techniques, including instrumented fuzzing, black box fuzzing, manual code review and security testing with their toolset, SIPVicious PRO in a concentrated effort to discover security issues within the project.

The actual work includes development of automated tests, and fuzzing harness code as well as manual testing to identify vulnerabilities such as memory corruption issues, logic issues especially those that may lead to authentication bypass and denial of service vulnerabilities. The identification of such vulnerabilities will allow OpenSIPS to address these bugs which in turn will help the project become an even more robust and secure solution.

Enable Security is known for having dedicated RTC security expertise through its various bug reports, research publications, presentations and other resources that are compiled as part of their contributions to the community and the RTC world. In this case, Enable Security would be focusing on a security audit on OpenSIPS as they do within their commercial security services, thus making a dedicated effort to identify more than just _low hanging fruit_ security issues.

Apart from a technical report with full details of their exploits and methodology, their aim is to provide the community with contributions to the OpenSIPS project so that it can be integrated within the OSS-Fuzz project and other automated quality assurance processes. This will ensure that OpenSIPS can be easily tested for security vulnerabilities that may be introduced in future updates.

How it will be done

The developing team of OpenSIPS worked out together with the Enable Security's team what are the parts of OpenSIPS to be subject to Pen Tests. This decision was taken based on the (1) potential vulnerability of certain parts of the code and (2) the testing / fuzzing possibilities.

We already worked out an commercial agreement with Enable Security for running the Security Audit. And we do appreciate all the help and support from they side, considering the fact that we are a non-commercial Open Source Project.

Based on this agreement, we, as OpenSIPS Project, will have to raise the amount for 24,000 USD. This has to be an collective effort of all the people, companies or other entities which are using OpenSIPS and value the safety and reliability of their OpenSIPS deployments.

Once the amount is fully raise, Enable Security will proceed with performing all the White Box Pen Tests under the commercial agreement. The results of this testing will go public, to the benefits of the entire community.

We, as developers and maintainers of OpenSIPS Project will take on the job of working out the fixes for the potential issues revealed by the testing.

The current status

Collected amount at 13th of Sept 2021 : $27,220
Remaining to collect : -3220$ :)
Our Sponsors:

Date	Name	Amount	Channel
24.06.2021	Flavio Goncalves	1000 USD	PayPal
24.06.2021	OpenSIPS Solutions	2000 USD	PayPal
24.06.2021	OFFICErING SUPPORT	500 USD	GoFundMe
24.06.2021	Giovanni Maruzzelli	120 USD	PayPal
24.06.2021	Lounis Goudjil / Manifone	1000 USD	GoFundMe
24.06.2021	Anonymous	100 USD	GoFundMe
24.06.2021	Jose Alexandre Ferreira	100 USD	PayPal
24.06.2021	Dave Horton	100 USD	GoFundMe
24.06.2021	Mickael Hubert	120 USD	PayPal
24.06.2021	Connex Carrier Services (Worldwide) Limited	1000 USD	PayPal
25.06.2021	Mayama Takeshi	100 USD	GoFundMe
25.06.2021	Dioris Moreno / Libereco Systems	100 USD	PayPal
27.06.2021	Sharad Kumar	200 USD	GoFundMe
30.06.2021	Mike Tesliuk	100 USD	GoFundMe
01.07.2021	Peter Kelly	1000 USD	GoFundMe
01.07.2021	Bernard Buitenhuis / MaxiTel	2000 USD	Wire Transfer
04.07.2021	Andrew Yager	2000 USD	GoFundMe
05.07.2021	X-on Surgery Connect	150 USD	GoFundMe
16.07.2021	Ivan Poddubnyi	100 USD	GoFundMe
17.07.2021	Ameed Jamous / TelecomsXChange	100 USD	PayPal
22.07.2021	Axeos Services BV	1200 USD	Wire Transfer
22.07.2021	Maksym Sobolyev	200 USD	PayPal
26.07.2021	OpenSIPS Friends	4500 USD	Wire Transfer
26.08.2021	Vasilios Tzanoudakis / Voiceland SA	1000 USD	Wire Transfer
07.09.2021	Alexey Vasilyev	100 USD	PayPal
07.09.2021	Jarrod Baumann	500 USD	PayPal
08.09.2021	Maxim Sobolev / Sippy Software	1000 USD	PayPal
08.09.2021	Sumit Birla	100 USD	GoFundMe
08.09.2021	David Duffett	150 USD	GoFundMe
08.09.2021	Voicenter / Shlomi Gutman	1000 USD	PayPal
08.09.2021	OpenSIPS Solutions	1000 USD	PayPal
08.09.2021	Adam Jeffery	20 USD	GoFundMe
08.09.2021	Jonathan Abrams	250 USD	GoFundMe
09.09.2021	Simon Devine	500 USD	GoFundMe
09.09.2021	Umar Sear	100 USD	GoFundMe
09.09.2021	QXIP BV	1000 USD	GoFundMe
09.09.2021	Airbytes Communications Limited	150 USD	PayPal
10.09.2021	Real World Group	1360 USD	GoFundMe
13.09.2021	Antonis Psaras / Microbase P.C.	1200 USD	Wire Transfer

Get involved by sponsoring

As said, this is a community effort, for the community's benefit.

So, please be part of this effort and sponsor this Security Audit work. There are multiple ways of doing that:

check our public fund raising via the GoFundMe platform. Here the target will be dynamically updated according to the overall collected amount, via all the channels
use our official paypal account to donate, paypal@opensips.org . Let us know if you need any info or support, we can generate custom PayPal request on demand
let us know if you are considering a wire transfer (bank account), we can assist that, with proper invoicing

All our sponsors, tiny or generous, will be publicly listed here, as a sign of gratitude for their contribution.

For any other information, please do not hesitate to contact us !