Welcome to the June 2024 edition of the RTCSec newsletter, covering VoIP and WebRTC security news and related topics.
In this edition, we cover:
- Our latest publication on our blog about WebRTC vulnerabilities
- Cisco WebEx’s seemingly obvious vulnerabilities and their effect on military and political entities
- Security fixes in Chrome, affecting WebRTC
- Vulnerabilities in Mitel phones, sngrep, and… iTunes?
- And more!
The RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.
What is RTC security anyway? Real-time communications security determines if you can safely communicate in real time - whether it be with other humans or machines.
You may sign up to receive the RTCSec newsletter here. If you like what we’re doing, you’re most welcome to:
- Forward it to those who may find this newsletter particularly fruitful.
- Let us know if there are any RTC security news items we should cover.
To view past issues, please visit our website at https://www.enablesecurity.com/newsletter/.
Our news
A Novel DoS Vulnerability Affecting WebRTC Media Servers
We have just published our latest research on a vulnerability affecting multiple WebRTC media servers. This issue has been notably fixed in Asterisk, FreeSWITCH, and rtpengine. However, we also discovered it on several well-known public platforms, VoIP services, and proprietary media servers.
TL;DR:
A critical denial-of-service (DoS) vulnerability has been identified in media servers that process WebRTC’s DTLS-SRTP, specifically in their handling of
ClientHello
messages. This vulnerability arises from a race condition between ICE and DTLS traffic and can be exploited to disrupt media sessions, compromising the availability of real-time communication services. Mitigations include filtering packets based on ICE-validated IP and port combinations. The article also indicates safe testing methods and strategies for detecting the attack.
Read the rest of the blog post on our website.
Enable Security Consultancy Services
Not ready for a full penetration test? We offer consultancy to help you set up security tests for your VoIP and WebRTC systems. We’ll provide security advice, identify potential security flaws, and assist with critical security decisions.
Contact us by responding to this email or clicking here.
Heated Debate on Whether the WebRTC Specs Contain a Vulnerability
Our blog post sparked an engaging discussion on X (formerly Twitter) about whether the vulnerability stems from a lack of security documentation in the RFCs or if it is merely an implementation issue.
Ultimately, even those who strongly believed that this is not a vulnerability in the specs agreed that the specifications may need more explicit guidance on the receiving of media traffic after ICE media consent verification.
We’d like to thank Iñaki, Philipp Hancke, Lorenzo Miniero, Sergio Garcia Murillo, and Nils Ohlmeier for their contributions to this discussion.
Presenting and Meeting Friends at WarCon
This month, I attended WarCon, a small and intimate conference in Warsaw, Poland. The presentations were captivating, as were the various conversations with fellow hackers. I presented on the WebRTC media server vulnerability, aiming to inspire security professionals to explore VoIP and WebRTC.
One of the main challenges of my presentation was explaining enough technical background on WebRTC for the vulnerability to be understood, without getting lost in the details. I tried, with limited success, to accomplish this in just 20 minutes.
The presentation slides are available here.
Many thanks to the engaged audience, especially Simone Margaritelli who drew my attention to his own work where he met some of the same protocols (ICE) as used by the Apple MultiPeer Connectivity Framework.
What’s Happening?
Military and Political Implications of Cisco WebEx Vulnerabilities
The German media has reported on vulnerabilities in Cisco WebEx that allowed unauthorized access to virtual meetings, including those of the German armed forces and several major political parties. This issue also affected other countries, such as the Dutch government, which expressed significant dissatisfaction.
Help Net Security provides comprehensive coverage of the situation. The main concern is that tens of thousands of sensitive meetings could be compromised due to the following security vulnerabilities:
- Predictable meeting IDs: Predictable numbers make it easy to guess WebEx meeting locations if a previous meeting ID is known. This allows access to call metadata, including meeting titles, host names, and other data, even if a password is set.
- PSTN security bypass: When dialing in via PSTN, a password required for the online meeting can (apparently) be bypassed by simply pressing the hash key, granting access to the meeting.
Meetings without a password could be accessed with just the meeting ID.
These vulnerabilities were initially discovered by Netzbegrünung, which has detailed the issue in two blog posts (in German):
- Netzbegrünung Reveals IT Security and Data Protection Vulnerabilities of Cisco’s Video Conference Service WebEx
- Netzbegrünung Also Finds Vulnerabilities in the Cisco WebEx Cloud Service - Authorities and Companies Across Europe are Affected
We have not verified these vulnerabilities ourselves. Cisco addressed and fixed the meeting ID issue earlier this month. So, nothing to see here, move along!
Additional Chrome WebRTC Security Fixes (CVE-2024-5493)
Cassidy Kim, a bug hunter, has identified multiple security vulnerabilities in the WebRTC project. Last month, Chromium released security fixes for the latest WebRTC vulnerability reported by Kim and awarded them 7000 USD. This update also addresses another issue, a use-after-free vulnerability in Media Session reported by Kim, tracked as CVE-2024-5496.
Browsers based on Chromium should also be updated.
Although no detailed information has been released, xvonfers on X (Twitter) shared a link to a test case that reproduces the issue, accompanied by the following comment:
(CVE-2024-5493)[339877165][AV1] Initialize encoder with specific settings -> start encoding video -> change resolution/SVC layers dynamically -> desynchronized buffer allocation -> Heap BoF during encoding.
Short News
- sngrep Fixed a Heap Buffer Overflow Triggered by Malformed SIP Messages (CVE-2024-35434)
- Dhiraj Mishra has published an advisory containing stack traces from the address sanitizer that show a crash in sngrep. This issue, caused by a malformed SIP message, has been resolved in sngrep through commit da80ced. Detailed information on reproducing the crash is available in a GitHub issue. The vulnerability is tracked as CVE-2024-35434.
- Bank’s IVR Source Code Leaked
- Our comment: having the source code spoils the fun of playing with DTMF tones.
- Thai Raids Intercept Huge Number of Simboxes and Starlink Satellite Dishes Intended for Scam Call Centers
- The article on Commsrisk is about a major raid in Thailand involving Scam Call Centers. The post includes several images related to the raid with photos of the equipment used, including Telekom SIM cards.
- VoIP relevant quote: “Final leg of communications that also involved a VoIP connection to a scam compound located elsewhere, possibly in another country.”
- News first spotted on Alan Quayle’s newsletter
- TADSummit Podcast Talks About Telco Fraud
CoreMedia Update in iTunes for Windows to Address H26Forge Vulnerability
Apple issued an update for iTunes for Windows to address CVE-2024-27793, which is one of the vulnerabilities found by the team at The University of Texas at Austin during their H26Forge research. We had briefly covered this paper in last year’s April newsletter. The paper focuses on H.264 video files, but H.264 may also be used for WebRTC and ViLTE (video over LTE).
Codec security is a significant concern for us and the RTC security community. Congratulations to Willy R. Vasquez and his colleagues for the Forbes news coverage!
Mitel Phone Vulnerability Information Published
Security researcher Kyle Burns has released exploit code and advisories for vulnerabilities affecting Mitel devices:
- An authenticated remote command injection vulnerability on the
provis.html
page allows for code execution on boot. This issue affects Mitel versions 4.5.0.41 and 5.0.0.1018. More details can be found here, and it is tracked as CVE-2024-37569. - An authenticated remote command injection vulnerability on the
upgrade.html
page allows for code execution. This affects the same Mitel versions. More details are available here, and it is tracked as CVE-2024-37570.
A demonstration video is available on YouTube, showcasing the exploitation of CVE-2024-37569, where the author gains root access to the phone.
These vulnerabilities are not listed on the Mitel Security Advisories website, as the affected versions are no longer maintained. If you are affected, upgrading your firmware is recommended.
Additionally, there is a third vulnerability mentioned in the Github repository, but no information has been published yet. The description is as follows:
Missing sanitization in multiple endpoints allows the ability to smuggle configuration entries to overwrite valid entries, eventually leading to authenticated remote command injection Mitel 6.3.0.1020 A-RCE.
This vulnerability is expected to be fixed soon in the latest Mitel phone firmware.
This newsletter was prepared by Sandro Gauci and the Enable Security team for RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please share it.
To subscribe: here