OTPulse

Belledonne Communications Linphone-Desktop

Plan PatchCVSS 7.5ICS-CERT ICSA-25-014-04Jan 14, 2025
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Linphone-Desktop versions prior to 5.3.99 contain a null pointer dereference vulnerability (CWE-476) that allows a remote attacker to cause a denial-of-service condition by sending a specially crafted packet. The vulnerability requires only network access and no authentication. Successful exploitation crashes the Linphone application, disrupting VoIP communication.

What this means
What could happen
An attacker could remotely crash Linphone-Desktop, disrupting VoIP communication services that may be used for critical plant operations or emergency coordination. This is a denial-of-service vulnerability with no data theft or system compromise, but loss of communication during an incident could hinder response.
Who's at risk
Water authorities and utilities using Linphone-Desktop for critical communications (dispatch, emergency coordination, plant-to-office voice calls) should prioritize this fix. Any organization relying on Linphone for operational voice communication during emergencies should treat this as a service continuity risk.
How it could be exploited
An attacker on the network could send a specially crafted packet or request to Linphone-Desktop that triggers a null pointer dereference (CWE-476), causing the application to crash. The attack requires no authentication and no user interaction. An attacker with network access to the device running Linphone-Desktop can trigger the crash remotely.
Prerequisites
  • Network access to the device running Linphone-Desktop on the port(s) Linphone uses (default SIP ports or configured ports)
  • No authentication required
  • No special configuration or precondition needed
remotely exploitableno authentication requiredlow complexityaffects communication infrastructuredenial-of-service impact on critical operations
Exploitability
Some exploitation risk — EPSS score 1.4%
Affected products (1)
ProductAffected VersionsFix Status
Linphone-Desktop: 5.2.65.2.65.3.99
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDRestrict network access to Linphone-Desktop by deploying firewall rules to limit connections from trusted sources only
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Linphone-Desktop to version 5.3.99 or later from Belledonne Communications
Long-term hardening
0/2
HARDENINGIsolate devices running Linphone-Desktop from the Internet; do not expose them directly to untrusted networks
HARDENINGIf remote access to Linphone is required, route it through a VPN or secure tunnel rather than direct network exposure
View full CISA ICS-CERT advisory
API: /api/v1/advisories/044a5e4c-f6ff-4480-bc35-af0cf0197039

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Belledonne Communications Linphone-Desktop | CVSS 7.5 - OTPulse