OTPulse
FeedAboutContact

Belledonne Communications Linphone-Desktop

Plan Patch7.5ICS-CERT ICSA-25-014-04Jan 14, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Linphone-Desktop version 5.2.6 contains a null pointer dereference vulnerability (CWE-476) that allows remote attackers to cause a denial-of-service condition on affected devices without authentication or user interaction.

What this means
What could happen
An attacker can remotely crash Linphone-Desktop, disrupting VoIP communications and potentially affecting coordinated operations at critical infrastructure facilities that rely on Linphone for emergency communications.
Who's at risk
Water utilities, electric utilities, and other critical infrastructure operators who use Linphone-Desktop for emergency voice communications on engineering workstations or control center terminals should prioritize this. The vulnerability affects any networked instance of Linphone-Desktop version 5.2.6.
How it could be exploited
An attacker sends a specially crafted network packet to a Linphone-Desktop instance reachable over the network. The packet triggers a null pointer dereference in the application, causing it to crash and become unavailable. No authentication or user action is required.
Prerequisites
  • Network-layer access to the device running Linphone-Desktop on its listening port
  • No credentials required
  • No user interaction required
remotely exploitableno authentication requiredlow complexity attackaffects communication systems used in critical operations
Exploitability
Moderate exploit probability (EPSS 1.4%)
Affected products (1)
ProductAffected VersionsFix Status
Linphone-Desktop: 5.2.65.2.65.3.99
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDRestrict network access to Linphone-Desktop to trusted devices and networks; implement firewall rules to block unsolicited inbound connections
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Linphone-Desktop to linphone-sdk version 5.3.99 or later
Long-term hardening
0/2
HARDENINGIf remote access to Linphone-Desktop is required, route communications through a VPN and ensure the VPN is updated to the latest version
HARDENINGIsolate systems running Linphone-Desktop from the public Internet and untrusted networks
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/044a5e4c-f6ff-4480-bc35-af0cf0197039
Belledonne Communications Linphone-Desktop | CVSS 7.5 - OTPulse