CVE-2022-39269 is a vulnerability in the PJSIP pjproject, an open-source multimedia communication library widely used for VoIP and real-time communication applications. The vulnerability arises from improper handling of Secure Real-time Transport Protocol (SRTP) sessions. Specifically, when processing certain packets during an SRTP restart, the pjproject may incorrectly revert from using SRTP to unencrypted RTP, resulting in the transmission of media streams in cleartext. This flaw affects all versions of pjproject from 2.11 up to, but not including, 2.13, where the issue has been patched. The vulnerability is classified under CWE-319, which concerns the cleartext transmission of sensitive information. Since SRTP is designed to protect the confidentiality and integrity of voice and video streams, this fallback to RTP exposes sensitive media content to interception and eavesdropping by attackers capable of network packet capture. The vulnerability does not require user interaction or authentication to be exploited, as it is triggered by the protocol's handling of SRTP restart packets. No known exploits have been reported in the wild, but the risk remains significant due to the sensitive nature of the data transmitted. The patch is available in the pjproject master branch and will be included in version 2.13; users are advised to upgrade or manually apply the patch. No workarounds are currently known, emphasizing the importance of timely remediation.

For European organizations, the impact of this vulnerability can be substantial, especially for entities relying on PJSIP-based communication systems for secure voice and video calls, such as telecommunications providers, call centers, government agencies, and enterprises with remote communication infrastructure. The exposure of unencrypted media streams can lead to confidentiality breaches, allowing attackers to intercept sensitive conversations, potentially leaking personal data, intellectual property, or classified information. This undermines trust in communication channels and may violate data protection regulations such as the GDPR, leading to legal and financial repercussions. Additionally, the integrity of communication could be compromised if attackers manipulate RTP streams, although this is less directly indicated. The availability of services is less likely to be affected directly by this vulnerability. Given the widespread use of PJSIP in various softphones, PBX systems, and embedded communication devices, the scope of affected systems is broad. The ease of exploitation is moderate since it requires network access to intercept or manipulate SRTP restart packets, which may be feasible in local networks or through compromised network infrastructure. The lack of authentication or user interaction requirements increases the risk profile. Overall, European organizations with critical communication infrastructure using vulnerable pjproject versions face a medium to high risk of data exposure and regulatory non-compliance.

To mitigate this vulnerability, European organizations should prioritize upgrading pjproject to version 2.13 or later, where the patch addressing the SRTP fallback issue is included. If immediate upgrading is not feasible, applying the manual patch from the pjproject master branch is essential. Network administrators should monitor network traffic for unexpected RTP streams where SRTP is expected, using deep packet inspection tools to detect unencrypted media transmissions. Implementing strict network segmentation and access controls can reduce the risk of attackers gaining the necessary network position to exploit the vulnerability. Organizations should also audit and update their VoIP and communication system configurations to ensure SRTP is enforced and fallback to RTP is disabled or closely monitored. Regular security assessments and penetration testing focusing on VoIP infrastructure can help identify exploitation attempts. Finally, organizations should maintain up-to-date incident response plans that include scenarios involving interception of communication streams to respond swiftly to potential breaches.