Skip to main content

RTC security
Newsletter

Curated RTC news research, news and occasional updates by Enable Security.

Subscribe
a phone receiver being crushed by a hand

root@localhost

SIP ALG exploit hits Realtek SDK, our Attack Platform and holidays

Published on Aug 31, 2022

In the summer time, the weather is hot … August is usually a slow month in our part of the world and a good time to take a holiday and relax a bit. We tried that for ourselves and found out that the rumors are true, holidays are not overrated. But, we didn’t stop for too long because, actually, we have news! In this edition, we cover: Our news about the Enable Security Attack Platform and Gasoline v2 Buffer overflow in Realtek’s SIP ALG affecting many many routers (CVE-2022-27255) More router exploitation leading to SIP credentials leakage (Arris / CVE-2022-31793) TLS ALPN identifier for SIP SELinux policies and Kamailio/OpenSIPS And more RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…

Read more »

root@localhost

WebRTC 0day, FreePBX not Asterisk attacks and talks at MCH2022

Published on Jul 29, 2022

It is the end of the week as well as July and the RTCSec newsletter is in your inbox eagerly waiting to give you all the educational entertainment you need throughout the weekend! In this edition, we cover: Our TADSummit talk and SIPVicious PRO details FreePBX exploitation and confusing reports Remote coverage of the talks at the Dutch hacker camp CVE-2022-2294 - the vulnerability in the WebRTC project Vulnerabilities in Matrix, BigBlueButton, JunOS and more Tweet of the month on VoIP phone hardware hacking RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…

Read more »

root@localhost

SIPVicious PRO out with 2 releases, ransomware and participation in the survey

Published on Jun 30, 2022

The sun is shining (at least on this part of the hemisphere), new exploits and builds are published and everything is good. Welcome to the June edition of RTCSec! In this edition, we cover: Our news: presenting at TADSummit in November and releasing two new SIPVicious PRO versions The Open-Source Telecom Software Survey which needs filling up Ransomware attacks using Mitel’s VoIP appliances as an entry-point Carrier related issues, including Syniverse compromise and call forwarding trick Vulnerabilities that were fixed in Sofia-SIP (FreeSWITCH), pjsip, Mitel phones and VitalPBX and much much more RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…

Read more »

root@localhost

OpenSIPS security audit report is out, Zoom and Wire RCEs and DTLS

Published on May 31, 2022

It is the end of May and we have, at the last minute, put together this month’s newsletter! Originally, we had doubts that we had much content for this month. Clearly we were underestimating the amount of last minute news in the RTC security world. In this edition, we cover: OpenSIPS security audit report publication Pentesting in Q4? and more Enable Security news Zoom vulnerability chain lead to an RCE XSS in Wire client leads to RCE Pion DTLS vulnerabilities fixed and some details Vulnerabilities in BIG-IP, Grandstream and Mitel Tweets of the month RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…

Read more »

root@localhost

We’re hiring, new SIPVicious PRO tools, advisories and blog post galore

Published on Apr 27, 2022

Welcome to the April edition of the RTCSec Newsletter. We have a lot this month, and this must be the most packed newsletter so far. In this edition, we cover: We’re hiring! Our blog post explaining how OpenSSL’s CVE-2022-0778 is a problem in WebRTC environments Latest SIPVicious PRO news Various blog and news posts: 3CX pre-auth RCE explanation Open SIP relay abuse ITW How LAPSUS$ probably abused VoIP OpenSIPS’ new TCP module versus DoS attacks Cisco Expressway and Telepresence VCS vulnerabilities A new tool to exploit STUN and TURN servers called stunner, from Firefart Advisories and vulnerabilities fixed (or not) in: FreePBX pjsip Asterisk PBX JunOS WebRTC Cisco Expressway and Telepresence VCS We bring back the Tweet of the month!…

Read more »

root@localhost

OpenSSL DoS and DTLS, SIMBoxes, SIP-TLS and lots of advisories

Published on Mar 29, 2022

And a warm welcome to the March edition of RTCSec Newsletter! We have new content for this newsletter, in the form of a video demo of an OpenSSL DoS (CVE-2022-0778). We’ll publish more about this on our blog. In this edition, we cover: OpenSSL DoS (CVE-2022-0778) versus WebRTC infrastructure Usage of SIMBoxes to evade Ukrainian phone companies blocking external phone calls VoIP calls and TLS security instructions Vulnerability reports for PJSIP, Asterisk, Mitel, Pascom, VoIPmonitor, 3CX and Cisco equipment RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…

Read more »

root@localhost

Commentary: security fixes in PJSIP, Zyxel, BIG-IP, Vicidial and others

Published on Feb 25, 2022

Welcome to the February edition of the RTCSec Newsletter! Please do reply and tell me what you think - this will help us make future editions better. In this edition, we cover: The SIPVicious PRO workshop, adapted for security teams Ribbon’s EdgeMarc SBCs used to launch DDoS attacks (news from November) RTC @Scale security talks Release of a new SIP tool called sipexer Vulnerabilities in various critical software, including PJSIP Smart Probes by Intuitive Labs RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…

Read more »

root@localhost

STIR/SHAKEN DoS, Cisco phone passwords, Zoom and Yealink

Published on Jan 26, 2022

Welcome to the very first RTCSec newsletter of 2022! It has been a busy month for us so far, and we’re very grateful for that. Q1 appears to be booked and we’re looking forward to planning our Q2 as well now. Get in touch if you think we can be of help. In this edition, we cover: We’re launching a new mailing list called Offense and Defense: RTC security tips SIPit 33 participation and STIR/SHAKEN tests How URL parsing issues may affect SIP implementations All 4 RTC advisories that came out in the past month or so A US Government centric report about Yealink phones New tool to exploit CUCM environments Google Project Zero’s work that led to 2 Zoom security fixes (or more) RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…

Read more »

root@localhost

DDoS, SIPit33, log4j and plans for 2022

Published on Dec 21, 2021

Welcome to the last RTCSEC newsletter of the year! In this edition, we cover: Best wishes for the new year NPR reports on VoIP DDoS Our TADSummit talk about the relationship between DDoS and RTC New video demo showing different types of DDoS SIPit33 participation The log4j vulnerability and RTC security CommCon RTC security talks Enable Security’s plans for 2022 Writeup about two of the FreeSWITCH vulnerabilities More vulnerabilities and short news with no commentary this time RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…

Read more »

root@localhost

Vulnerabilities, honeypots, STIR/SHAKEN, DDoS and more

Published on Nov 22, 2021

Welcome to the second RTCSEC newsletter! Please do reply and tell me what you think - this will help us make future editions better. In this edition, we cover: FreeSWITCH security fixes and the story behind them OpenSIPit'02 and progress in STIR/SHAKEN and RFC8760 support Booking us for pentesting in 2022 and the latest in SIPVicious hair styling Upcoming public work including TAD Summit presentation and SIPit33 Quick summaries of presentations of interest at various online or hybrid events/conferences New security tools of interest: sipcmdbeat and SentryPeer Vulnerabilities in FusionPBX and Yealink phones VoIP provider DDoS news Short news and commentary RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…

Read more »