CVE-2022-45909 is a critical heap-based buffer over-read vulnerability affecting drachtio-server versions prior to 0.8.19. The vulnerability arises when the server processes an INVITE request containing an excessively long Request-URI. Specifically, the flaw is a CWE-125 (Out-of-bounds Read) type, where the server reads beyond the allocated heap buffer boundaries due to insufficient validation of the Request-URI length. This can lead to the disclosure of sensitive memory contents, potentially exposing confidential data. The vulnerability is remotely exploitable over the network (AV:N), requires no privileges (PR:N), and does not require user interaction (UI:N). The scope is unchanged (S:U), meaning the impact is limited to the vulnerable component. The CVSS v3.1 base score is 9.1, reflecting high confidentiality impact and high availability impact, but no integrity impact. Exploitation could cause denial of service by crashing the server or leaking sensitive information from memory. Although no known exploits are currently reported in the wild, the ease of exploitation and critical severity warrant immediate attention. The lack of vendor and product details in the provided data suggests that drachtio-server is a specialized SIP server implementation, commonly used in VoIP infrastructures to handle SIP signaling. The vulnerability specifically targets the SIP INVITE method, which is fundamental in establishing VoIP calls, making this a significant threat to telephony services relying on drachtio-server. The absence of patch links indicates that users should verify their version and upgrade to 0.8.19 or later where the issue is resolved.

For European organizations, especially those operating VoIP telephony systems or unified communications platforms utilizing drachtio-server, this vulnerability poses a significant risk. Successful exploitation can lead to service disruption through denial of service, impacting business communications and potentially causing operational downtime. The confidentiality breach risk could expose sensitive call metadata or other memory-resident information, which may include credentials or session data. Critical infrastructure sectors such as telecommunications providers, financial institutions, healthcare, and government agencies in Europe that rely on SIP-based communications could face targeted attacks aiming to disrupt services or gather intelligence. Given the remote and unauthenticated nature of the exploit, attackers can launch attacks from anywhere, increasing the threat landscape. The impact on availability is particularly concerning for emergency services and other time-sensitive communication systems. Additionally, the potential for memory disclosure could aid attackers in crafting further targeted attacks or lateral movement within networks.

1. Immediate upgrade: Organizations should verify their drachtio-server version and upgrade to version 0.8.19 or later where the vulnerability is patched. 2. Network-level filtering: Implement SIP-aware firewalls or Session Border Controllers (SBCs) to inspect and limit the length of Request-URI fields in INVITE requests, blocking suspiciously long or malformed SIP messages before they reach the server. 3. Rate limiting and anomaly detection: Deploy monitoring tools to detect abnormal SIP traffic patterns, such as unusually long Request-URIs or repeated malformed INVITE requests, to identify and mitigate exploitation attempts early. 4. Segmentation: Isolate VoIP infrastructure from general corporate networks to limit the blast radius of any successful exploitation. 5. Logging and alerting: Enhance logging on SIP servers to capture anomalous INVITE requests and set up alerts for potential exploitation indicators. 6. Vendor engagement: Engage with drachtio-server maintainers or community to obtain official patches or mitigations if not publicly available. 7. Incident response readiness: Prepare response plans for potential denial of service or data leakage incidents related to VoIP infrastructure.