CVE-2022-24754 is a medium-severity stack-based buffer overflow vulnerability identified in the open-source multimedia communication library PJSIP, specifically within the pjproject component. PJSIP is widely used for SIP (Session Initiation Protocol) signaling and multimedia communication in VoIP applications. The vulnerability affects versions up to and including 2.12 of pjproject. It arises from improper handling of hashed digest credentials (data_type `PJSIP_CRED_DATA_DIGEST`) during authentication processes. Specifically, the code does not verify that the length of the hashed digest data matches the expected constant `PJSIP_MD5STRLEN` before copying it onto the stack, leading to a classic buffer overflow (CWE-120). This unchecked copy can overwrite adjacent memory on the stack, potentially allowing an attacker to execute arbitrary code, cause a denial of service, or crash the application. The vulnerability is triggered only when PJSIP is configured to accept hashed digest credentials, which is common in SIP authentication scenarios. The issue has been patched in the master branch of the PJSIP repository, but users who cannot upgrade immediately are advised to implement manual length checks to ensure the hashed digest data length equals `PJSIP_MD5STRLEN` before processing. There are no known exploits in the wild as of the published date, and no official CVSS score has been assigned. However, the vulnerability's nature and context suggest a significant risk if exploited, especially in environments where PJSIP is exposed to untrusted networks or users.

For European organizations, the impact of this vulnerability can be considerable, particularly for those relying on PJSIP-based VoIP infrastructure, unified communications, or multimedia communication platforms. Exploitation could lead to remote code execution or denial of service, disrupting critical communication services. This can affect enterprises, telecom providers, government agencies, and any sector dependent on SIP-based communication. Confidentiality could be compromised if attackers gain control over the system, potentially intercepting or manipulating voice communications. Integrity and availability are also at risk due to possible application crashes or unauthorized code execution. Given the widespread use of PJSIP in various telephony and communication products, the scope of affected systems is broad. The vulnerability requires no authentication but does require the attacker to send specially crafted SIP messages containing malicious hashed digest credentials, which is feasible in exposed or poorly segmented networks. This elevates the risk in environments with public-facing SIP endpoints or inadequate network controls. The absence of known exploits suggests limited active targeting currently, but the potential impact warrants proactive mitigation.

1. Upgrade to the latest version of pjproject where the vulnerability is patched as soon as possible. 2. For environments where immediate upgrade is not feasible, implement strict input validation by verifying that the length of the hashed digest credential data equals `PJSIP_MD5STRLEN` before processing. 3. Employ network segmentation and restrict access to SIP services to trusted networks and users only, minimizing exposure to untrusted sources. 4. Deploy SIP-aware intrusion detection and prevention systems (IDS/IPS) to monitor and block malformed or suspicious SIP authentication attempts. 5. Regularly audit and monitor logs for unusual authentication failures or malformed SIP messages that could indicate exploitation attempts. 6. Apply principle of least privilege to the systems running PJSIP to limit the impact of potential exploitation. 7. Educate network and security teams about this specific vulnerability to ensure rapid detection and response if exploitation attempts occur.