Welcome to the second RTCSEC newsletter! Please do reply and tell me what you think - this will help us make future editions better.
In this edition, we cover:
- FreeSWITCH security fixes and the story behind them
- OpenSIPit'02 and progress in STIR/SHAKEN and RFC8760 support
- Booking us for pentesting in 2022 and the latest in SIPVicious hair styling
- Upcoming public work including TAD Summit presentation and SIPit33
- Quick summaries of presentations of interest at various online or hybrid events/conferences
- New security tools of interest: sipcmdbeat and SentryPeer
- Vulnerabilities in FusionPBX and Yealink phones
- VoIP provider DDoS news
- Short news and commentary
RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.
What is RTC security anyway? Real-time communications security is what determines if you can communicate in real time in a safe way - whether it be with other humans or machines.
You may sign up to receive the RTCSec newsletter here. Do:
- forward this to that person who may find this newsletter particularly fruitful.
- let me know if we should include or cover any RTC security news.
To view past issues, please visit our website at https://www.rtcsec.com/newsletter.
FreeSWITCH advisories and the story behind the vulnerabilities
We released 5 advisories for FreeSWITCH and gave a presentation about the story behind these advisories at ClueCon, the SignalWire/FreeSWITCH yearly conference. On top of that, we published a long read about how we found the vulnerabilities, how they were reported and then fixed. The post is called Killing bugs … one vulnerability report at a time and carries the same title as the conference talk.
- Advisories: https://github.com/EnableSecurity/advisories
- Long read: https://www.rtcsec.com/article/killing-bugs-one-vulnerability-report-at-a-time/
- Conference video: not yet published
OpenSIPit'02 participation - STIR/SHAKEN and RFC8760 interoperability testing
We love being involved in OpenSIPIt which is a community-driven interoperability testing event that happens online. It is both educational and fun for people working on SIP related projects.
OpenSIPIt#02 just happened between 15th and 17th November and we haven’t yet had the chance to properly write up about the results on our blog. Instead we have a quick summary:
- Participants were (primarily) the following:
- Sippy software
- Enable Security (that’s us!)
- Both RFC8760 (i.e. SIP digest authentication using SHA to replace MD5) and STIR/SHAKEN support have generally improved and stabilised across all open source projects involved, perhaps except for Asterisk and PJSIP that seemed to lag behind
- Previously we had found that implementations of STIR/SHAKEN were vulnerable by allowing local file access (and other tricks) as the value of
x5u, see our blog post for more about this
- This time, all vulnerable implementations had fixes for this issue
- However, by pointing the
x5uto large files on our HTTP server, we found problems in OpenSIPS and FreeSWITCH; both of which should have now been fixed
- Additional fuzzing found issues in the OpenSIPS HEP module and in PJSIP; both of which were also fixed
- We also noticed some room for improvement in Sippy’s python b2bua which was addressed to handle flood attacks more efficiently
- We updated SIPVicious PRO experimental edition to support 2 new (invalid) algorithms for the Identity header’s JWT: None and HS256 to try to reproduce JWT related vulnerabilities
This summary is of course from our perspective. A lot more happened during the event and one should watch the opening and closing sessions on Youtube to get a more general idea of the event: https://www.youtube.com/watch?v=8cvhokPHMcA&list=PL-U7hOT8zFXqt9AxYSoG94K2ss98ADv-T.
Pentesting in 2022 (advert)
If you’re subscribed to this newsletter, chances are you’re also thinking about pentesting your RTC products or services in 2022.
At the moment we’re working on filling our work schedule for Q1 2022. If you’d like to be included in our thoughts, reply to me or contact us.
Upcoming: The worst of enemies - let’s talk about DDoS and RTC
I will be presenting on the topic of RTC and DDoS at TADSummit EMEA Americas 2021 (online). My talk is called The worst of enemies - let’s talk about DDoS and RTC and it aims to answer the question:
Why are VoIP and WebRTC services so vulnerable to DDoS and what can we do about it?
- distinguish between volumetric and application-level DoS
- why volumetric/bandwidth saturation is so effective
- application-level DoS, appreciate the complexity of the topic
- Some demo to illustrate the point
- general recommendations: security testing, apply changes, preparations, repeat
Upcoming: SIPIt participation
SIPIt is, in many ways, OpenSIPIt’s older brother and the 33rd edition is happening online after a 5 year break. It is organised by the SIP Forum and this time is about interoperability testing especially for the following topics:
- Rich Call Data
- Certificate Delegation
The event is very interesting for us and we look forward to participating next month in December. Are you involved or participating as well? Reply and let me know your thoughts.
Online and hybrid conferences
Extending Matrix’s E2EE calls to multiparty
As users of the Matrix protocol and Element, we are quite interested in the complexities involved in making this secure.
The Kranky Geek Fall 2021 event just happened last week where Matthew Hodgson gave a presentation about the Matrix’s E2EE multiparty calls.
My (quick) summary:
One on one calls in Matrix are relatively simple. They work well and have been around since 6 years. Group calls, on the other hand, have gone through various stages. Originally Matrix used to use an MCU based on FreeSWITCH, and sometimes Asterisk. This was done per room and resulted in a centralized group calling system that is very different in design from the rest of the Matrix. Then they switched to using Jitsi by making use of a widget which was somewhat better. This, however, still had a number of limitations. For example, this was still centralized, the protocols in use are different from the rest of Matrix, and it lacked Matrix’s E2EE and access control mechanisms. In practice these SFUs or MCUs (“foci”) are hooked up as Matrix endpoints so that they could be any existent SFU or MCU software.
The specs are available at MSC3401.
ClueCon security talks
Since the videos for ClueCon are not yet published, we could not comment about them. The following presentations are of special interest to us and are quite relevant to RTC security:
- VoIP Security: Lean and Mean - by Jiri Kuthan
- Talks about how honeynets are useful in VoIP security and introduces some new tools too (see https://github.com/intuitivelabs/sipcmbeat/)
- How can we better secure our systems - By Dovid Bender
- I did not watch this yet and look forward to reviewing the video. It should talk about the recent DDoS attacks on VoIP providers among other security challenges.
- Kamailio, FreeSWITCH, and You - by Fred Posner
- Talks about how Kamailio can help secure FreeSWITCH deployments.
For more information: https://www.cluecon.com/speakers-2021.
TADSummit EMEA Americas 2021
TADSummit describes itself as:
unique, packed, the thought-leadership event in programmable telecoms.
Here are my notes on the talks that are out so far and cover security in one way or another:
APIBAN: Protecting you from unwanted SIP traffic, Fred Posner
- A great presentation explaining everything about APIBAN, a system to block known SIP attack IP sources.
SentryPeer, A distributed list of bad IP addresses and phone numbers collected via a SIP Honeypot.
- It is Open Source and quite ambitious
- Makes use of peer-to-peer to distribute the data
- It aims to make available a collection of attacker IP addresses and phone numbers
- Check out https://sentrypeer.org/
Open Source Telecom Survey 2021 Results & Discussion
- In his survey, Alan Quayle touched on a number of security topics. Some key findings on our favourite topics:
- Quite often, organisations do not appear to have a security team, and if they do, they are certainly not involved in RTC security. This indicates a lack of general knowledge in RTC security.
- SIPVicious was on the top of the list of security tools used for testing RTC security, right after “no security tool”.
- Network transport encryption, in the form of SIP-TLS and SRTP is present but still lacking
- Security in RTC is mostly reactive rather than proactive
Tools of interest: sipcmbeat and SentryPeer
Intuitive Labs have released sipcmbeat which allows collection of SIP traffic and generates events based on that. Useful for honeypots and security analysis. Jiri’s talk at ClueCON gives more details.
At TAD Summit Emea Americas 2021, we learned about SentryPeer which is:
A distributed peer to peer list of bad IP addresses and phone numbers collected via a SIP Honeypot.
More details: https://sentrypeer.org/
Vulnerabilities in FusionPBX and Yealink phones
Our friend @silvanojr and his colleagues helped fix some security issues in FusionPBX:
- CVE-2021-43403 - directory traversal, read access
- CVE-2021-43404 - remote code execution
- CVE-2021-43405 - remote code execution
- CVE-2021-43406 - remote code execution
To exploit any of these issues, attackers need authentication in the admin interface. However, without any obvious CSRF protection in FusionPBX, such issues may be exploited through that vector. We’re not the first to point this out. See:
In the meantime, someone posted a command injection exploit, leading to remote code execution in some YeaLink hardware phones: https://packetstormsecurity.com/files/164934/YeaLink-SIP-TXXXP-220.127.116.11-Command-Injection.html
Exploitation does require authentication. This sort of thing is quite typical of web interfaces in embedded hardware, which includes SIP phones. Naturally, the web server or servlet runs as root so exploitation allows attackers to do a lot of fancy things with the vulnerable phones.
Silvano Girardi Jr. did a quick video showing remote code execution through a dialplan. See his video and tweet here: https://twitter.com/silvanojr/status/1454394040129105924
Yes this is indeed a possibility. Be extra careful when using external applications in your dialplan - such as through
system and even cURL functionality. Perhaps the topic of a new article?
New SIPVicious website and refreshed mascots (advert)
We have refreshed the SIPVicious OSS mascot and have a cool new one for SIPVicious PRO! Check out that hair volume!
And we pushed out some pages about SIPVicious on our company website. One covers SIPVicious OSS with all the relevant links to the releases, source code and the documentation.
Then there’s the page for SIPVicious PRO. Naturally this includes the pricing, links to documentation and a list of CVEs and advisories (or bug-o-rama) that were found using the toolset.
We also put out a roadmap page and a page showing comparison between SIPVicious OSS and SIPVicious PRO.
Thanks to Samwel Mallia for the illustration work!
VoIP provider DDoS news
A lot to catch up on in terms of DDoS attacks on VoIP and CPaaS providers. Unfortunately these attacks have not yet stopped and have affected more providers and customers. The result so far, apart from the obvious, has been that many providers have moved to Cloudflare’s protection.
Here is my list of news and social media references on the topic. If you have more details, please do share.
DDoSers take weekend off only to resume campaign against UK’s Voipfone on Monday
- Continued DDoS attacks on UK VoIP providers
DDoS Attack Trends for Q3 2021
- What is interesting is that they mention SIP protocol-specific attacks too apart from UDP reflection and floods.
DDoS on Telnyx
- Telnyx moved to Cloudflare due to DDoS attacks on its infrastructure
DDoS attack cost Bandwidth.com nearly $12 million
Daisy Telecom DDoS
Thank Dovid Bender for the heads up on Telnyx being (temporarily) affected even if behind Cloudflare and pointing us at the Daisy Telecom DDoS news.
Short news and commentary
- Lorenzo Mangani of QXIP did a weekend project - a WASM PCAP RTP Extraction and SRTP Decryption. It is based on srtpdecrypt and allows you to load a PCAP and do what it says on the tin in your web browser.
- Might come in handy!
Google Chrome WebRTC addIceCandidate use after free vulnerability (TALOS-2021-1348)
- thanks to Tim Panton for the heads up
- Their words: Subspace created the world’s fastest, most stable, highly available and secure network
Block unwanted SIP traffic efficiently
- On using APIBAN at TelecomsXChange
This newsletter was prepared by Sandro Gauci and the Enable Security team for the RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please do share.
To subscribe: here