Welcome to the end of March, and this month’s edition of the RTCSec Newsletter. This one’s a short one.
In this edition, we cover:
- German military phone call leak and Webex
- WhatsApp’s past VoIP stack vulnerabilities and preventing future exploits
- Security fixes in Apple’s WebRTC framework and baresip
- WebRTC podcast covers security with Tsahi Levent-Levi
RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.
What is RTC security anyway? Real-time communications security is what determines if you can safely communicate in real time - whether it be with other humans or machines.
You may sign up to receive the RTCSec newsletter here. If you like what we’re doing, you’re most welcome to:
- forward to those that may find this newsletter particularly fruitful.
- let us know if we should include or cover any RTC security news.
To view past issues, please visit our website at https://www.enablesecurity.com/newsletter/.
Our news
Security consultancy for your RTC projects
If you are using open-source software such as OpenSIPS, Kamailio, FreeSWITCH or Asterisk to build custom solutions, you realize how flexible and powerful these solutions can be for your platform. You may also need security consultancy and help with security testing of some VoIP or WebRTC components. That is why we offer consultancy services.
What’s happening?
Taurus-leak involving the German military and Webex
The month started with news about a call between German military personnel having been leaked on the Russian social network, VK. The entire call is still available on the social network and can be listened to from start to end. Of interest is the fact that the calls happened over a military version of Webex, with servers hosted in Germany.
What appears to have happened is that the calls actually occurred over dial-in (PSTN) rather than actually using the Webex apps or browser (WebRTC-based) version. Webex, like many other online conferencing platforms, allows dial-in and also SIP/H.323 calls; neither of which would necessarily guarantee any level of confidentiality. To read more about it, check out The Register and the relevant Wikipedia pages in English and translated German.
NSO Group’s spyware source code to be shared with Meta, and VoIP stack exploitation
In a legal case initiated by Meta against NSO Group, the court ruled that NSO Group must surrender its Pegasus source code and “all related spyware” to Meta. Notably, NSO Group exploited a buffer overflow flaw in the WhatsApp VoIP stack, identified as CVE-2019-3568. This flaw was exploited by sending a series of specially crafted RTCP packets to a target, triggering the vulnerability.
Furthermore, as we mentioned last month, Meta recently implemented a new memory allocator in the WhatsApp VoIP calling library. This update enhances security by making it more difficult to exploit buffer overflows and memory corruption vulnerabilities, such as the one exploited by NSO Group. This enhancement has been applied to WhatsApp on both Android and iOS platforms.
Security fixes in baresip
The baresip project issued a security advisory and security fixes in version 3.10.1 for a Denial of Service issue involving RTP timestamps. The security issue was originally reported as a ticket on the project’s bug tracker and details can be seen here.
Details on CVE-2024-1580 vulnerability in iOS, iPadOS, macOS, and Safari’s WebRTC and CoreMedia
Apple released security updates for all its platforms including iOS, macOS and Safari to address a vulnerability tracked as CVE-2024-1580. The vulnerability affects the CoreMedia and WebRTC frameworks and is related to decoding of AV1 video. In fact, the vulnerability was actually discovered in an open source library called dav1d from VideoLAN, consisting of an integer overflow which may result in an out-of-bounds write.
So we were wondering, does Apple’s WebRTC stack actually use dav1d for decoding AV1 video? It turns out that they had switched from libaom (used by Chromium and friends) to dav1d back in January 2023.
The vulnerability was discovered by Nick Galloway working with Google Project Zero and a bug report can be found on their bug tracker.
Security scanners detecting vulnerable Cisco IP Phones
Tenable added a bunch of checks for vulnerable Cisco IP Phones in their Tenable OT Security products. All of the security issues detected are from past years, ranging from 2011 to 2023, specifically affecting the call-handling functionality, web-based management interface, and SIP software. These vulnerabilities could allow unauthenticated, remote attackers to cause denial of service (DoS) conditions, execute arbitrary code, bypass authorization, and conduct cross-site request forgery (CSRF) attacks.
The vulnerabilities range from incomplete error handling in parsing XML data within SIP packets, insufficient CSRF protections in the web-based management interface, high disk utilization leading to a DoS condition, lack of proper input validation in HTTP requests, to improper validation of input SIP packets. Successful exploits could result in phone reloads, dropped calls, high disk utilization, unauthorized access to critical services, resource consumption, and unexpected interruptions of phone services.
Affected devices include Cisco IP Phone 7800 Series, 8800 Series, 6800 Series, Wireless IP Phone 8821 and 8821-EX, and IP Conference Phone 8832.
WebRTC Live Podcast - Security with Tsahi Levent-Levi
Tsahi, behind the well known WebRTC blog BlogGeek.me was a guest on the latest WebRTC live episode. The last part of the episode discusses WebRTC security and is worth a listen.
This newsletter was prepared by Sandro Gauci and the Enable Security team for the RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please do share.
To subscribe: here