DDoS, SIPit33, log4j and plans for 2022

Welcome to the last RTCSEC newsletter of the year!

In this edition, we cover:

• Best wishes for the new year
• NPR reports on VoIP DDoS
• Our TADSummit talk about the relationship between DDoS and RTC
• New video demo showing different types of DDoS
• SIPit33 participation
• The log4j vulnerability and RTC security
• CommCon RTC security talks
• Enable Security’s plans for 2022
• Writeup about two of the FreeSWITCH vulnerabilities
• More vulnerabilities and short news with no commentary this time

RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.

What is RTC security anyway? Real-time communications security is what determines if you can communicate in real time in a safe way - whether it be with other humans or machines.

You may sign up to receive the RTCSec newsletter here. Do:

• forward this to that person who may find this newsletter particularly fruitful.
• let me know if we should include or cover any RTC security news.

To view past issues, please visit our website at https://www.rtcsec.com/newsletter.

Our news

So long and see you next year!

We’re going to be off for the next 2 weeks, getting a much needed rest and some offline time to recover from this past year. Wish you all a Merry Christmas, and a better one next year!

ClueCon videos are out

Check out our presentation Killing Bugs… one vulnerability report at a time on Youtube.

NPR covers the DDoS attacks on VoIP providers

NPR had a piece about the DDoS attacks that have been happening on VoIP providers. It gives a layman’s overview of the vulnerability and what the attacks did to services providers and their customers. Our friend Fred Posner and yours truly were interviewed in this article. Here’s what I said:

On the other side, companies are going to have to come up with a response plan. “From my end, it seems that more preparation is necessary,” says Gauci, the security expert.

“More testing security testing is important,” he says, “because you want to know where you stand and if your security protection mechanisms are actually working and if they are introducing new problems for you or not, and how you are able to recover.”

I should apologize to all my English grammar teachers of past for the repeated use of the word “and” in one sentence.

Read the rest of the article here.

TADSummit talk about DDoS attacks on RTC

I gave a presentation called The worst of enemies – let’s talk about DDoS and RTC where I tried to explain why DDoS affects VoIP systems so badly, as we have seen recently. I did not say anything that I did not write about in our blog especially in these articles:

• Why volumetric DDoS cripples VoIP providers and what we see during pentesting
• Massive DDoS attacks on VoIP Providers and simulated DDoS testing

We also published a new video demo with this presentation, which is our next topic.

What is the difference between volumetric and application-layer DDoS?

Watch the video on Youtube.

In this video, we show the sort of effect achieved by saturating the bandwidth of the target server. And how an application server is affected too. If you’d like the voice-over version, you’ll find this video in the TADSummit talk, skip to 00:07:45.

SIPit33 participation

The 33rd SIPit happened online this year in the month of December. We took part and participated by performing tests for STIR/SHAKEN authenticated calls, fuzzing and denial of service tests with various participating vendors.

Perhaps we’ll publish a report once we’re back from the holidays.

Apache log4j vulnerabilities affecting RTC

We have been collecting references regarding RTC products that were (somewhat) affected by the log4j vulnerability. Here are some links:

• Zoom
• Alcatel-Lucent / advisory
• Jitsi
• signald
• Matrix itself not affected but 3rd party related software is / tweet
• Audiocodes - requires authentication, which we don’t have
• 8x8 generic text
• Avaya
• Polycom
• Cisco
• Mitel
• Oracle
• Pascom

So, basically, as long as a company has a large enough portfolio or base their product on Java, something is affected by this issue.

Thanks to Dan Jenkins for pointing us to the Matrix tweet.

To compile this list, we used a more complete list covering any vendors. Thanks to everyone who contributed!

Security talks at CommCon 2021

CommCon Virtual 2021 happened in December. It had an amazing list of RTC presentations and talks most of which I still have to catch up on. The following were RTC security related presentations:

• SentryPeer - A distributed peer to peer list of bad IP addresses and phone numbers collected via a SIP Honeypot. — by Gavin Henry
• APIBAN — by Fred Posner
• Extending Matrix’s E2EE calls to multiparty — by Matthew Hodgson

We covered these presentations when they were given at previous conferences. If you didn’t watch them already, CommCon’s the latest version of each one.

Enable Security plans 2022 (advert)

What are our plans for the next year? Firstly, we hope to get to a closure with the OpenSIPS security audit. We had some great results so far and there are a number of fixes in the OpenSIPS project that have been already included. But we have more to do, especially in the area of DoS vulnerabilities and some components that are part of the project that we have not touched yet.

Secondly, we look forward to working with our clients. It seems that we’ll especially be focusing on:

• RTC infrastructure providers
• CPaaS platforms
• Cloud PBX platforms

And, there is SIPVicious PRO and our DDoS simulation exercises that have been getting attention in 2021. We will certainly have more news on these two fronts early next year.

If you would like to discuss potential security testing, consultancy for your company in Q1 or Q2 - reply to this email or contact us.

0xinfection’s write up about FreeSWITCH vulnerabilities

Our friend and ex-colleague Pinaki wrote about two of the FreeSWITCH vulnerabilities that we published recently. He worked on research this while working with us at Enable Security. Check out his blog post here: https://0xinfection.github.io/posts/analyzing-freeswitch-vulns/. It walks you through how he reproduced the issues, then provides analysis and verification of the vulnerabilities. It is a well written post and highly recommended.

More vulnerabilities fixed in RTC software

• CVE-2021-34423 - Buffer overflow in Zoom Client and other products
• CVE-2021-34424 - Process memory exposure in Zoom Client and other products
• CVE-2021-34425 - Server Side Request Forgery in Zoom Client for Meetings chat
• CVE-2021-44538 - Buffer overflow in libolm and matrix-js-sdk, affecting Element and other Matrix clients

Actual references:

• https://explore.zoom.us/en/trust/security/security-bulletin
• https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk

Featured tweet

Looking for gift ideas for that IT person in your life? Try log4j. It’s the gift that keeps giving. Over and over.

From @Maliciouslink

Reference: https://twitter.com/Maliciouslink/status/1471835859850866697

Short news and commentary

• Prflxion - a WebRTC ip leak
  • https://blog.peer5.com/prflxion-or-how-we-uncovered-a-webrtc-ip-leak/
• SS7 abuse
  • https://www.bloomberg.com/news/articles/2021-12-06/this-swiss-tech-exec-is-said-to-have-operated-a-secret-surveillance-operation
• How to build large-scale end-to-end encrypted group video calls
  • https://signal.org/blog/how-to-build-encrypted-group-calls/

This newsletter was prepared by Sandro Gauci and the Enable Security team for the RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please do share.

To subscribe: here