Kamailio Project Kamailio SIP Server NULL Pointer Dereference Vulnerability in Version 5.5

A null pointer dereference vulnerability has been identified in Kamailio SIP Server version 5.5. The issue arises in the function 'rve_is_constant' within 'src/core/rvalue.c', where the parser action for 'exp_elem' calls 'rve_is_constant($3)' without checking if '$3' is non-null. This oversight allows specially crafted configuration inputs to pass a null pointer, leading to a dereference of a null value and causing a segmentation fault, which crashes the server. This vulnerability requires local exploitation and has been publicly disclosed with an available proof-of-concept exploit.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a denial-of-service condition where the Kamailio server crashes during startup and fails to run. While the immediate impact is a process crash, this vulnerability could disrupt availability-critical deployments.

Reproduction

To reproduce this vulnerability, replace the default Kamailio configuration file with a crafted one that triggers the null pointer dereference during expression evaluation. Then, run Kamailio with AddressSanitizer enabled to observe the crash and the associated error report, which will indicate the null pointer dereference in the 'rve_is_constant' function, called from the parser action that handled the malformed configuration.