Skip to main content
RTC Security Newsletter

Curated VoIP and WebRTC security news, research and updates by Enable Security.

Subscribe

August 2024: WebRTC security at OWASP Global AppSec, WebRTC RCE technical posts and new talks

Published on Aug 16, 2024

We’re sending this out a bit earlier than usual as some of us will be taking some time off soon. See you next month!

In this edition, we cover:

  • Our latest presentation for OWASP 2024 Global AppSec.
  • An intriguing blog series by Margin Research on synthetic vulnerabilities in Signal-iOS’s WebRTC.
  • Updates on new Cisco phone vulnerabilities that won’t be fixed, and a recently addressed Asterisk AMI vulnerability.
  • A brief overview of notable presentations from Blackhat, DEF CON, and BSidesLV that might interest the RTCSec newsletter audience.
  • And much more!

The RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.

What is RTC security anyway? Real-time communications security determines if you can safely communicate in real time - whether it be with other humans or machines.

You may sign up to receive the RTCSec newsletter here. If you like what we’re doing, you’re most welcome to:

  • Forward it to those who may find this newsletter particularly fruitful.
  • Let us know if there are any RTC security news items we should cover.

To view past issues, please visit our website at https://www.enablesecurity.com/newsletter/.


Our news

Upcoming presentation - Web Security Experts: Are you overlooking WebRTC vulnerabilities?

We’re preparing a presentation that will be delivered on September 26th at the OWASP 2024 Global AppSec conference in San Francisco.

Title: Web Security Experts: Are you overlooking WebRTC vulnerabilities?

Synopsis:

As the web evolves, so do the complexities of securing it. WebRTC (Web Real-Time Communication) is a powerful technology embedded in every modern web browser, enabling audio, video, and data sharing. While WebRTC offers tremendous advantages for real-time communication, it introduces a unique set of security challenges that many web and API security professionals may overlook.

This presentation aims to bridge the knowledge gap between traditional web/API security and the specialized realm of WebRTC. Designed for OWASP attendees ranging from novice to advanced practitioners, it will provide a comprehensive overview of WebRTC security concepts, common vulnerabilities, and practical testing methodologies.

Are you planning to be there? Get in touch so that we can connect.

What’s happening?

You Can’t Spell WebRTC Without RCE: Synthetic Vulnerabilities in Signal-iOS’s WebRTC

Margin Research published a series of blog posts titled You Can’t Spell WebRTC Without RCE. For those in the cybersecurity field, it’s easy to see how RTC might be mistaken for RCE.

These posts explore the intentional reintroduction of previously fixed vulnerabilities for educational purposes. Along the way, readers are provided with an in-depth explanation of WebRTC’s internals and complexities. The topics covered include:

  • Receiving and Parsing Data
  • Removing Mitigations and Injecting Vulnerabilities
  • Building a Research Environment
  • Triggering the Vulnerabilities
  • Starting the Call
  • Sending Modified RTCP Messages
  • Requesting and Retrieving a Leak
  • Triggering the memcpy Function
  • Testing the Triggers
  • Breaking ASLR
  • Leaking the Stack(s)

This research complements Natalie Silvanovich’s work on exploiting Android messaging apps via WebRTC. You can read the blog posts directly:

Hacker Summer Camp 2024: Black Hat, DEF CON, and BSidesLV

The annual hacker events in Las Vegas took place this month, featuring numerous fascinating talks and presentations. Although we couldn’t attend this year, several topics caught our attention. Here are a few highlights, along with our thoughts:

Critical security vulnerabilities in Cisco SPA300 or SPA500 IP phone, not getting fixed

An article on the Register caught my eye with the title of Hello? Are you talking on a Cisco SPA300 or SPA500 IP phone? Now’s the time to junk ’em. The reason is that these phones had multiple vulnerabilities that are not getting fixed because these phones are past their end of life. The main 3 vulnerabilities are pretty serious: buffer overflow vulnerabilities that can be exploited by any unauthenticated attacker that could reach the web interface of these phones.

Go read the advisories from Cisco if this concerns you.

Presentations, not on WebRTC security, but WebRTC for distributed p2p

While searching for new YouTube videos on WebRTC security, I found two presentations from different conferences that discussed using WebRTC for distributed peer-to-peer and blockchain applications. Although this isn’t a new concept, it made me wonder: which of the vulnerabilities we frequently cover in this newsletter might also be relevant to these blockchain scenarios?

It’s also fascinating to see how they leverage the technology differently from what we’re used to in online conferencing systems and similar applications. There’s significantly more use of data channels and much less emphasis on media.

As Daniel Norman aptly put it, a recurring theme is: “WebRTC is quite complex.”

Asterisk project fixed a privilege escalation for AMI

The Asterisk open-source PBX project has issued an advisory and security fix for a vulnerability in its Asterisk Management Interface (AMI). This vulnerability was discovered by Niels Galjaard, who found that a low-privileged AMI user could exploit the system to modify Asterisk’s configuration, potentially resulting in remote code execution. The exploit takes advantage of the Originate action to call the Asterisk SET application, allowing an attacker to write or download files remotely. AMI has been a frequent source of privilege escalation vulnerabilities, making it an attractive attack vector. This is particularly concerning because some web interfaces that interact with AMI might inadvertently allow the injection of AMI commands by exploiting new line characters. Such a bypass can lead to remote code execution, even when the AMI user is supposed to have restricted permissions.

The advisory, titled “Write=originate, is sufficient permissions for code execution / System() dialplan,” has been addressed by the Asterisk team. Thanks go to the security researcher and the Asterisk team for promptly resolving this issue.

The Matrix React SDK fixed an interesting privacy vulnerability

The matrix-react-sdk, a react-based SDK for integrating a Matrix chat/voip client into a web page, had a vulnerability that allowed a malicious homeserver to manipulate user account data and enable URL previews in end-to-end encrypted rooms. This could expose URLs in encrypted messages to the server. This issue was addressed in version 3.105.0 of the SDK.

Deployments that trust their homeservers or operate within closed federations of trusted servers are not impacted. Users are strongly recommended to upgrade to the patched version, as there are currently no known workarounds for this vulnerability.


This newsletter was prepared by Sandro Gauci and the Enable Security team for RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please share it.

To subscribe: here