Very smart to avoid Asterisk, FreeSWITCH and SIP in general for a security oriented program. SIP is moronically complex. As an illustration, the spec talks about using SIP to setup chess games, non-ironically. Like, that's how super-duper-abstract the SIP authors thought they were being. Of course, it's a bit strange to then explain why a mandatory header is "Call-ID", but hey, this is the IETF...
Also, all the major SIP platforms are thousands of lines of C or C++ just to parse this fucked up format. One particular popular project has almost 1M lines of C in its repo. And not a single CVE issued. Anyone taking bets on if it's more likely that there's never been an issue, or if we just don't notice? I mean, with switch statements spanning 1000+ lines, we can be sure it's top quality everywhere, right? One popular system allowed you to put shell commands in SIP headers, and it'd just go and execute them, due to ... creative[1] ... escaping and evaluation rules.
Not to mention that on every SIP network I've tested, even simple, trivial, things like IP-based auth don't actually work. It's mind-boggling. It's just that there's even lower-hanging fruit so no one bothers with remotely fun attacks.
Also, all the major SIP platforms are thousands of lines of C or C++ just to parse this fucked up format. One particular popular project has almost 1M lines of C in its repo. And not a single CVE issued. Anyone taking bets on if it's more likely that there's never been an issue, or if we just don't notice? I mean, with switch statements spanning 1000+ lines, we can be sure it's top quality everywhere, right? One popular system allowed you to put shell commands in SIP headers, and it'd just go and execute them, due to ... creative[1] ... escaping and evaluation rules.
Not to mention that on every SIP network I've tested, even simple, trivial, things like IP-based auth don't actually work. It's mind-boggling. It's just that there's even lower-hanging fruit so no one bothers with remotely fun attacks.
1: Insane and terribly thought-out.