This month was marked by SIP Server conferences, as I attended both Kamailio World and OpenSIPS Summit. This edition includes a review of the Kamailio World presentations of security-interest, while next month we’ll cover ones from OpenSIPS Summit.
I’d also like to welcome all the people who joined this newsletter from Kamailio World and OpenSIPS Summit!
In this packed edition, we cover:
- Our presentations on SIP server configuration vulnerabilities
- VoLTE security and privacy issues
- A video on YouTube about sniffing VoIP phone calls that is actually worth watching
- OpenSIPS mailing list post on a proposed tainted variable security enhancement
- A potential new WebRTC vulnerability, or not
- Vulnerabilities in Asterisk, Grandstream and BIG-IP
The RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.
What is RTC security anyway? Real-time communications security determines if you can safely communicate in real time - whether it be with other humans or machines.
You may sign up to receive the RTCSec newsletter here. If you like what we’re doing, you’re most welcome to:
- Forward it to those who may find this newsletter particularly fruitful.
- Let us know if there are any RTC security news items we should cover.
To view past issues, please visit our website at https://www.enablesecurity.com/newsletter/.
Our news
Configuration Security at Kamailio World and OpenSIPS Summit 2025
This month featured key open-source SIP router conferences: Kamailio World and OpenSIPS Summit. We participated by presenting on a unifying theme: Configuration Security. Our main premise is that for both Kamailio and OpenSIPS, security depends more heavily on how administrators and DevOps teams configure these servers than on the application code itself.
Although both presentations covered the same topic, we took different approaches. At Kamailio World, we focused on configurations we audited during client engagements, showing real-world vulnerabilities that we exploited and helped secure. At OpenSIPS Summit, the talk was more playful, telling the story of how I used AI pair programming to discover and analyze OpenSIPS configurations publicly available on GitHub.
Both presentations were well received; several attendees told me afterward that they had just fixed their SIP server configuration. We look forward to your feedback and discussions on this and related topics!
Check out the slides here:
- Kamailio Configuration Security: From Real-World Vulnerabilities to Proactive Defense
- OpenSIPS Configuration Security: We called for trouble, and it answered with 200 OK!
What’s happening?
Mediatek VoLTE Firmware Null-Pointer Vulnerability
Our friends at sipgate have published an excellent blog post about a denial-of-service vulnerability they found in the MediaTek VoLTE stack. This affects a number of phones from manufacturers such as Huawei, Xiaomi, Gigaset, and Motorola, among others, when they are using 4G or 5G VoLTE.
What was the problem they discovered? Essentially, if an attacker sends a NOTIFY message without the required Contact header to affected phones, the vulnerable device’s VoLTE stack becomes unresponsive. Regarding exposure to this vulnerability, they explain the following:
To use this problem in the wild, a threat actor needs to be in a privileged condition (namely the serving function of the phone operator’s IMS) which means that there have already been some pre-checks and authorizations. But, hostile takeovers and VoLTE Local Breakout could lead to these situations, and using this, to a denial of service and a down-grade attack of calls to the 2G network which makes the calls significantly less secure.
This is fixed by the vendor and tracked as CVE-2025-20647 and considered a medium severity issue by the vendor. It had the following description:
In Modem, there is a possible system crash due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation.
Hacking Phone Calls with Kali Linux and Wireshark (MITM / VoIP replay)
YouTuber David Bombal posted a video about eavesdropping on SIP and RTP (i.e., audio) traffic to listen in on calls. Unlike the majority of AI-generated content on YouTube about this topic, this material is great. If you have never sniffed on a call using Wireshark, then it is worth a watch.
The video explains techniques such as using a network tap, performing an ARP poisoning man-in-the-middle attack with Ettercap-ng (yes, Bettercap from @evilsocket is better), and employing a simple network hub to capture both the SIP for call setup and the RTP, which carries the voice data.
He demonstrated this using FreePBX with Yealink and Fanvil phones, though any system would work as long as it doesn’t use SIP over TLS and SRTP.
Watch the video: https://www.youtube.com/watch?v=LoFoV3T17T0
OpenSIPS: Proposed Tainted Variable Security Enhancement
On the OpenSIPS mailing list, Gregory Massel proposed two enhancements to OpenSIPS aimed at preventing injection vulnerabilities in its configurations. Firstly, he suggested tainting user-input pseudo-variables, a practice similar to that found in Perl and Exim. Secondly, he discussed automatically escaping these pseudo-variables.
The concept of tainting is appealing, as it resembles how static code analyzers track data flow. Under this approach, user-input pseudo-variables would initially be ’tainted.’ They would then need to be ‘untainted’ - effectively marked as safe - but only after undergoing proper validation or another protective mechanism.
Automatically escaping can be problematic and may not fully resolve vulnerabilities, as its effectiveness is highly dependent on the ‘sink.’ The ‘sink’ refers to the specific format or language of the dangerous function or data consumer, such as SQL, shell commands, NoSQL, or JSON. While attractive, such ‘magical’ security solutions are bound to fail in specific cases. This inherent unreliability poses a risk, as OpenSIPS operators would over-rely on them.
Conversely, the optimal approach for building security-sensitive content from user input—content that is subsequently passed to security-sensitive functions—is to employ programmatic techniques (e.g., parameterized queries for SQL) instead of string concatenation. This method offers a more robust programming pattern than relying on tainting or ‘magical’ solutions.
VoLTE Location Tracking Vulnerability in O2 Network
Turns out that attackers monitoring SIP traffic on VoLTE could track users on the O2 network in the UK.
TL;DR:
The raw IMS signalling messages, based on SIP, contained headers with information about the recipient, including their International Mobile Subscriber Identity (IMSI), International Mobile Equipment Identity (IMEI), and Cellular-Network-Info. The Cellular-Network-Info header contained data such as the recipient’s network PLMN, Location Area Code (LAC), and Cell ID.
By extracting the recipient’s Cell ID, LAC, and PLMN from the SIP messages, an attacker could use publicly crowdsourced data from tools like cellmapper.net to cross-reference this information and determine the general location of the user. In dense urban areas with many small cells, this could pinpoint a user’s location to an area as small as 100m². This method of location tracking worked even when the O2 customer was roaming abroad.
As of 19th May 2025, O2 confirmed this specific issue had been resolved. So we can all relax now.
Read the original blog post on Mast Database.
BIG-IP SIP ALG profile vulnerability CVE-2025-41433
How about a SIP ALG vulnerability in carrier-grade equipment? Like every other month, we have you covered with yet another fix - this time in BIG-IP products that have SIP ALG enabled. It says that “undisclosed (SIP) requests can cause the Traffic Management Microkernel (TMM) to terminate”.
Review the advisory and apply the fix if you’re using this equipment with the SIP ALG profile enabled.
Grandstream GSD3710 Stack Buffer Overflow Vulnerability
From the Grandstream website:
The GDS3710 is an HD Video Door System that tracks, manages and records access to any physical building while also serving as an IP surveillance camera and IP intercom.
José Luis Verdeguer (aka Pepelux) found a buffer overflow vulnerability in these devices, affecting firmware version 1.0.11.13 and lower. The advisory was published back in 2022 but an exploit demonstration tool has now been published that reproduces this issue. The code starts a reverse shell that grants attackers root access to vulnerable phones.
Zibri WebRTC undisclosed vulnerabilities?
On X (formerly Twitter), Zibri posted the following on 17th May:
I have found 2 vulnerabilities that allow anyone to have anonymousand unlimited access to webrtc/ice high bandwidth-low latency servers. I will not submit the full POC until @microsoft will give me a quote. Very similar bugs are present also in @meta and @google services.
Zibri is renowned for his impressive iPhone jailbreaks, known as ZiPhone. These vulnerabilities sound like TURN relay abuse, which we have extensively detailed in presentations, including the one at OWASP 2024 Global AppSec in San Francisco.
Asterisk SIP MESSAGE Spoofing Vulnerability and CLI permissions bypass
Asterisk PBX recently released security fixes for a vulnerability that allows SIP Message spoofing. SIP MESSAGE requests send messages that typically appear as SMS text messages on VoIP phones. To exploit this vulnerability, attackers set the name in the From header to their spoofing target and add a semicolon (;) or NULL characters in header name.
This header might look like: From: admin;<sip:attacker@192.168.77.136>
Authenticated users can exploit this when SIP MESSAGE is enabled through the dialplan using the MessageSend Dialplan Application.
Read the advisory for more details, or check out the code update here if you’re that sort of person.
The security fix also addressed a second vulnerability: an Asterisk CLI permissions bypass. The developer who reported this discovered that configuring cli_permissions.conf to restrict the Asterisk CLI from running shell commands with the ! command trick doesn’t work as expected. The update added a new configuration parameter disable_remote_console_shell that must be set in such cases. The advisory for this vulnerability is here while the commit provides additional details.
The SIP MESSAGE spoofing vulnerability is tracked as CVE-2025-47779, and the CLI permissions bypass is tracked as CVE-2025-47780.
Review of Kamailio World 2025 presentations
After returning from Kamailio World, I had a lot of different (positive) impressions. It was an amazing experience, meeting new friends and old colleagues too. Here, I’ll review presentations at this event that featured security in some shape or form.
A Journey Of Public Emergency Calls Used In And MCPTT Network
By Roman Onic, Kontron
Synopsis of this talk:
Kontron developed an MCx-based train radio system using Kamailio as the core IMS system to replace analog radio and GSM-R systems, with integrated 3GPP Application Servers. The solution required support for public emergency calls, including Type 1 (112) and national Type 2 emergency calls (like 122, 133, 144 in Austria). The presentation covers the overall solution and demonstrates how Kamailio was used to integrate public emergency call functionality across various deployment scenarios.
Such systems must be available, reliable, and secure, making them fascinating to study from a learning perspective.
Scaling The VoIP Infrastructure With Custom MID-Registrars
By Iurii Gorlichenko, In8inity
Synopsis of this talk:
This session presents Kamailio-based MID-Registrar implementations that improve scalability and fault tolerance in communication systems without requiring major infrastructure changes, leading to cost reductions. The focus is on coordinating multiple independent registrars (like Asterisk instances) through two main approaches: Proxy-Registrar and MID-Registrar with shared credentials. The presentation includes configuration examples, diagrams, and practical guidance comparing the pros and cons of each approach.
Mid-Registration servers are common in SIP environments, where a SIP server intercepts REGISTER requests to provide registration caching for quick local lookup. This design creates security implications that Iurii discussed in his talk, including the propagation of user credentials to multiple locations.
Kamailio As A Web3 Telecom Server
By Amir Dorot, Cellact
Synopsis of this talk:
This presentation demonstrates using Kamailio in a Web3 telecom solution that replaces traditional username/password authentication with crypto wallet registration. The decentralized system allows one Kamailio server to serve multiple service providers while supporting various user identities (ENS, email, phone numbers). Examples show Kamailio flows integrated with Polygon blockchain for call establishment.
Although this was generally a high-level talk, it included details about their authentication and authorization approach using the Ethereum Name System (ENS) with two SIP message headers:
X-Data: Contains data that the user signs with their private key, including a UUID with a timestamp to prevent replay attacks.X-Sign: Contains the signature generated by the user’s crypto wallet over the data in theX-Dataheader.
Alternative authentication methods in SIP communications are fascinating and potentially challenging from a security perspective, making this talk particularly interesting.
Lessons Learned From Enterprise Deployments Of Kamailio
By Fred Posner, Lod
Synopsis of this talk:
The enterprises increasingly adopted VoIP to enhance communication and collaboration. This presentation outlines the key aspects learned from various enterprise VoIP server implementations, focusing on critical factors such as infrastructure scalability, operational efficiency, and integration with internal systems, highlighting the best practices for optimizing performance and ensuring security.
This entertaining talk from Fred covers enterprise security requirements, focusing on:
- UDP bans in enterprises, particularly comparing SIP-UDP versus SIP-TLS versus SIP-UDP with IPsec
- The impractical requirement to run RTP over TLS
- Recommended avoidance of SIP ALG (Application Layer Gateway)
- How SIP-TLS and SRTP impact performance
- Many other valuable topics worth reviewing
Security Updates and Vulnerability News Round-Up
Firefox ESR 115.24 fixes vulnerability in libvpx encoder (used for WebRTC)
Mozilla Firefox ESR 115.24 addresses a critical security vulnerability in the libvpx encoder used for WebRTC, specifically a double-free issue in the vpx_codec_enc_init_multi function that could potentially cause memory corruption and an exploitable crash during encoder initialization. While the full details of the vulnerability remain non-public, the update aims to mitigate this security risk.
Research on cyber security in enterprise connected devices by UK Gov
A research study conducted by NCC Group for the UK government revealed significant cybersecurity vulnerabilities in enterprise connected devices, with a particular focus on VoIP systems. The investigation uncovered serious security weaknesses in various administrative interfaces, including web interfaces and telnet, which could potentially expose organizations to significant cyber risks.
Thanks to Vulners and other third parties for providing vulnerability source material.
This newsletter was prepared by Sandro Gauci and the Enable Security team for RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please share.
To subscribe: here