OpenSIPS security audit report is out, Zoom and Wire RCEs and DTLS

It is the end of May and we have, at the last minute, put together this month’s newsletter! Originally, we had doubts that we had much content for this month. Clearly we were underestimating the amount of last minute news in the RTC security world.

In this edition, we cover:

• OpenSIPS security audit report publication
• Pentesting in Q4? and more Enable Security news
• Zoom vulnerability chain lead to an RCE
• XSS in Wire client leads to RCE
• Pion DTLS vulnerabilities fixed and some details
• Vulnerabilities in BIG-IP, Grandstream and Mitel
• Tweets of the month

RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.

What is RTC security anyway? Real-time communications security is what determines if you can communicate in real time in a safe way - whether it be with other humans or machines.

You may sign up to receive the RTCSec newsletter here. Do:

• forward to that person who may find this newsletter particularly fruitful.
• let me know if we should include or cover any RTC security news.

To view past issues, please visit our website at https://www.rtcsec.com/newsletter.

Our news

Planning your pentests for Q4? (sponsored)

It has been a very productive year so far here at Enable Security and we are grateful to our clients and friends who kept us very busy indeed this year! We covered a lot of ground in terms of pentesting and DDoS simulations. Now that the second quarter of 2022 is coming to an end, our Q3 schedule is looking almost full with our availability in September already partially booked.

If you would like to book us for Q4, please do get in touch now: https://www.enablesecurity.com/contact/

The OpenSIPS Security Audit report is out!

During much of the late 2021 and early in 2022 we worked on the OpenSIPS Security Audit. The OpenSIPS project has now published the minimized version of the report showing 15 security-relevant findings. Of course, all of these issues were addressed in the latest and greatest versions of OpenSIPS.

The following security issues were identified:

• Segmentation fault due to invalid Content-Length header (CVSS: 8.6)
• Crash when specially crafted REGISTER message is challenged for authentication (CVSS: 8.6)
• Buffer over-read in function delete_sdp_line leads to DoS or undefined behaviour (CVSS: 8.6)
• Buffer over-read in the function parse_param_name leads to DoS or undefined behaviour (CVSS: 8.6)
• Buffer over-read in the function extract_field leads to DoS or undefined behaviour (CVSS: 8.6)
• Buffer over-read in function extract_rtpmap leads to DoS or undefined behaviour (CVSS: 8.6)
• Buffer over-read in the function extract_fmtp leads to DoS or undefined behaviour (CVSS: 8.6)
• Off-by-one error in the function append_hf leads to a crash (CVSS: 8.6)
• Segmentation fault in the function build_res_buf_from_sip_req might lead to DoS (CVSS: 6.2)
• Segmentation fault when calling the function calc_tag_suffix leads to DoS (CVSS: 8.6)
• Crash in the function t_reply_matching may lead to DoS (Info)
• Heap-buffer-overflow in function parse_hname2 leads to AddressSanitizer false positives (Info)
• Segmentation fault in the function rewrite_ruri leads to DoS (CVSS: 8.6)
• Memory leak in parse_mi_request might lead to Denial of Service (CVSS: 7.1)
• Buffer over-read in function stream_process leads to DoS (CVSS: 8.6)

We will provide an update on this topic on our blog, but in the meantime, do check the OpenSIPS blog post about this: https://blog.opensips.org/2022/04/28/opensips-security-audit-facts-and-results/

The report can be read here: https://opensips.org/pub/audit-2022/opensips-audit-technical-report-min.pdf

We also gave the OpenSIPS developers a review of our work and what we would like to see next. The slides can be seen here: https://blogopensips.files.wordpress.com/2022/04/opensips-audit-slides-2022-04-13.pdf

Communication Breakdown design gets a refresh

The design for our blog (and newsletter) has been updated to make a bolder statement. Here’s the before and after:

Please check it out at https://www.rtcsec.com and let us know about what is not working (I’m sure we missed a few things) - by replying to this newsletter or sending me an email: sandro@enablesecurity.com.

We’re still hiring

With last month’s RTCSec newsletter, we announced that we are hiring. We had a large number of applications and a few promising candidates. It has been quite a learning experience for us, having done this for the very first time.

The position is, at the time, still open so if you know anyone who might be fit, do send them here: https://hs.enablesecurity.com/join-us/pentester

Careful who you trust - presentation at Nullcon

The presentation called Careful Who You Trust: Compromising P2P Cameras At Scale by E. Barzdukas and J. Valletta & D. Franke, was given at Nullcon Berlin 2022. I went through the presentation and my quick summary is as follows:

Spoofing the UID of camera devices on the ThroughTek’s Kalay P2P network, leads to disclosure of the device credentials, which allows compromise of audio and video data. This in turn allows IO control layer (IOCTRL), which exposes a lot of security issues. One of these vulnerabilities involves firmware updates and leads to remote code execution (RCE). Most of the talk is about the IOCTRL layer and exploitation and a great advert for Frida (which we also love) and they cover the custom authentication mechanisms in specific devices that use the Kalay Network.

As Tim Panton pointed out last month, some of what they talk about would have been made more secure by default, had the vendor used WebRTC standards and perhaps, libraries. This, in comparison with making use of a custom-made solution such as the Kalay platform, means that network transport encryption would be on by default and authentication should not be an afterthought. However, for something like this, WebRTC still isn’t a magic wand that solves all problems, and naturally, would introduce new ones. Having said that, I would still go with something more standard (i.e. WebRTC standards) for devices that do real-time stuff. The advantage is that the security and vulnerabilities are better understood and documented than with custom platforms, protocols and networks.

In terms of actual official solutions, to avoid the initial vulnerability, Device Impersonation (CVE-2021-28372), the vendor recommended updating the SDK/library and using “AuthKey” and “DTLS” features of Kalay network.

Reference: https://www.youtube.com/watch?v=YBbG7OQB-GQ

Video calling applications sometimes ignore mute

It turns out that that mute button on your favourite video conferencing app may not do what you would expect it to do! Researchers looked at the following apps:

• Zoom (Enterprise)
• Slack
• MS Teams / Skype
• Google Meet
• Cisco Webex
• BlueJeans
• WhereBy
• GoToMeeting
• Jitsi Meet
• Discord

The paper explicitly highlights Webex as a primary offender in its conclusion:

We discovered that while muted, Webex continuously reads audio data from the microphone and transmits statistics of that data once per minute to its telemetry servers.

The study is indeed interesting and the underlying issue is definitely cause of concern. But, honestly, I expected much worse.

References:

• Paper: https://wiscprivacy.com/publication/vca_mute/
• News article: https://thenextweb.com/news/muting-your-mic-doesnt-stop-big-tech-recording-your-audio

T-Pot, the Deutsche Telekom Honeypot

Dionis Shabani wrote a tutorial on how to get the Deutsche Telekom’s honeypot, naturally called T-Pot (love the name), running on Debian 11. This honeypot is interesting to us since it includes some RTC components by using Sentrypeer. It also includes Dionaea which has a SIP module too.

Give it a read here: https://medium.com/@ds48199/implementation-of-deutsche-telekom-honeypot-t-pot-on-debian-11-b737652101e3

And the blog post from the official Deutsche Telekom security team’s blog: https://github.security.telekom.com/2022/04/honeypot-tpot-22.04-released.html

Or go directly to the project at https://github.com/telekom-security/tpotce.

VoIP is used by Wizard Spider

The Hacker News has published an article called Researchers Expose Inner Workings of Billion-Dollar Wizard Spider Cybercrime Gang. The part that caught my attention was the following:

What’s more, the group has invested in a custom VoIP setup wherein hired telephone operators cold-call non-responsive victims in a bid to put additional pressure and compel them into paying up after a ransomware attack.

This is not the first time the group has resorted to such a tactic. Last year, Microsoft detailed a BazarLoader campaign dubbed BazaCall that employed phony call centers to lure unsuspecting victims into installing ransomware on their systems.

Read the rest here: https://thehackernews.com/2022/05/researchers-expose-inner-working-of.html

Security Code Audit - For Fun and Fails

Frycos - whose work was previously covered on this newsletter due to the excellent 3CX vulnerability report - published a new post. This one deals with the realities of security code audits and vulnerability research in general, which have a tendency to be quite different than what the movies allude to.

For this research piece, Frycos chose another PBX product, one called Starface Comfortphoning. This one is a valuable narrative that shows how one would go about scoping the target, choosing what to audit in terms of code, and the different points of view that could be taken.

In fact, the author did find a number of issues. One of which was a remote code execution that required authentication to an administrative interface. The vulnerability involved uploading a fake backup ZIP file with a malicious manifest.xml that basically executed the commands given in the XML contents. Another involved a dangerous file upload which could be done through an authenticated low privileged user. But it is not clear if the uploaded file is accessible to attackers, which is how it would be exploited to gain remote code execution.

As the author hints, perhaps only around 10% of the code was checked during this exercise. What I personally find slightly annoying is that only the web attack surface was checked. But a phone system, such as Starface’s, will have other areas that are exposed - most notably the signalling and media handling (i.e. SIP and RTP - which is done via Asterisk PBX). Oh and there’s a process called hfaxd that listens on 0.0.0.0 waiting to be poked and prodded!

Thanks to Frycos for the inspiring story and giving us an insight into their activities.

Reference: https://frycos.github.io/vulns4free/2022/05/24/security-code-audit-fails.html

Pion DTLS vulnerabilities fixed

The Pion DTLS package was patched to fix 3 vulnerabilities, two of which cause denial of service and one affecting the integrity. The issues were reported by Juho Nurminen who, it seems, has been doing some interesting things related to the topic of RTC security.

Technical details were not published in the actual advisories for the DoS issues, although there are clear hints. So we looked at the code changes to get a better understanding of what is happening here.

Based on that, here’s our summary:

• Header reconstruction method can be thrown into an infinite loop
  • Description: An attacker can send packets that will send Pion DTLS into an infinite loop when processing.
  • Our comment: those packets consist of a zero length fragment, which before the fix, would loop due to an if fragmentEnd != f.handshakeHeader.Length {} never returning; this one seems easy to exploit hence the CVSS rating of 7.5
  • Actual fix: https://github.com/pion/dtls/commit/e0b2ce3592e8e7d73713ac67b363a2e192a4cecf
  • Advisory: https://github.com/pion/dtls/security/advisories/GHSA-cm8f-h6j3-p25c
• Buffer for inbound DTLS fragments has no limit
  • Description: A buffer that was used for inbound network traffic had no upper limit. Pion DTLS would buffer all network traffic from the remote user until the handshake completes or times out. An attacker could exploit this to cause excessive memory usage.
  • Our comment: Of course this also has to do with fragments, and seems to be easy to exploit as well but, perhaps, may take a long time to exploit and maybe the timeout would prevent this issue from getting a high rating in terms of availability and CVSS scoring
  • Actual fix: https://github.com/pion/dtls/commit/a6397ff7282bc56dc37a68ea9211702edb4de1de
  • Advisory: https://github.com/pion/dtls/security/advisories/GHSA-cx94-mrg9-rq4j
• Client Certificates are accepted without CertificateVerify
  • Description: A DTLS Client could provide a Certificate that it doesn’t posses the private key for and Pion DTLS wouldn’t reject it.
  • Our comment: this is an authentication bypass and actually seems quite interesting. This one would be very interesting to try to reproduce.
  • Actual fix: https://github.com/pion/dtls/commit/d2f797183a9f044ce976e6df6f362662ca722412
  • Advisory: https://github.com/pion/dtls/security/advisories/GHSA-w45j-f832-hxvh

Congratulations to the Pion team for the fixes, and great work by Juho!

Twitter references:

• https://twitter.com/_pion/status/1524125558065573889?cxt=HBwWgsC9mdaH5KYqAAAA&cn=ZmxleGlibGVfcmVjcw%3D%3D&refsrc=email
• https://twitter.com/_pion/status/1526253640075321345?cn=ZmxleGlibGVfcmVjcw%3D%3D&refsrc=email
• https://twitter.com/jupenur/status/1524133441981366272

Wire XSS to RCE and account compromise

The Wire app fixed a cross-site scripting vulnerability that led to remote code execution on the desktop client. The vulnerability reporter posted a video on Twitter showing how they could use this issue to launch any application by abusing this XSS.

Check out the video:

https://twitter.com/po6ix/status/1520020506283544576?cn=ZmxleGlibGVfcmVjcw%3D%3D&refsrc=email

The advisory from Wire is over here: https://github.com/wireapp/wire-webapp/security/advisories/GHSA-5568-rfh8-vmhq. Tracked as CVE-2022-24799.

I guess this is just a reminder that for Electron apps, such as Wire, XSS can be really dangerous.

Yet another SIP ALG vulnerability - CVE-2022-26370

https://nvd.nist.gov/vuln/detail/CVE-2022-26370

Another vulnerability which affects a SIP ALG (application layer gateway) implementation, this time in F5 BIG-IP versions 16.1.x. Abuse of this vulnerability is said to cause the Traffic Management Microkernel (TMM) to terminate.

Last month we covered similar issues in JunOS (CVE-2022-22198), while in February we covered another vulnerability (CVE-2022-23025) also in F5 BIG-IP.

Our recommendation remains:

If you’re running anything like a stateful firewall, disabling SIP ALG will reduce your attack surface.

SQL and command injection in Grandstream PBX

Tenable, makers of Nessus vulnerability scanner, discovered that Grandstream UCM6200 have both an SQL injection and a command injection vulnerability. This is exploited through the web interface of the vulnerable PBX system.

It seems that the vulnerability was published and patched back in 2020 but detection was added in Nessus just in 2022 this month.

References:

• https://vulners.com/nessus/GRANDSTREAM_SIP_CVE-2020-5722.NASL
• https://www.tenable.com/security/research/tra-2020-15
• https://github.com/tenable/poc/blob/master/grandstream/ucm62xx/pbx_sploit.py

Mitel 6800 and 6900 Series SIP phone devices “undocumented behavior”

The CVE details read as follows:

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have “undocumented functionality.” A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

The security bulletin does have a few more details:

A vulnerability has been identified in Mitel 6800 Series SIP Phones and 6900 Series SIP phones running SIP firmware, which could allow an unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control functionality during system start-up. A successful exploit could allow access to sensitive information and code execution within the context of the Mitel 6800 or 6900 SIP Phone (excluding the 6970).

The vulnerability is limited to a malicious actor that has physical access and can connect via local area network and requires restarting the phone.

The risk due to this vulnerability is rated as Medium

References:

• https://nvd.nist.gov/vuln/detail/CVE-2022-29855
• https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0004

Zoom client RCE with xmpp stanza smuggling

Google’s Project Zero published a vulnerability chain that affected Zoom chat. Essentially, it went like this:

1. Smuggling of XML stanzas was possible due to XML parser differences between the Zoom client and server
2. So an attacker could send control stanzas to Zoom clients that appear to be coming from Zoom’s XMPP server
3. This could be abused to force the victim client to connect to an attacker controlled server, allowing for man-in-the-middle
4. Which could be abused to bypass a signature check on the update installer
5. Which allows attackers to install malicious software on vulnerable Zoom clients

Ivan Fratric does an excellent job in explaining the vulnerability chain at the official report here: https://bugs.chromium.org/p/project-zero/issues/detail?id=2254.

Very sneaky I must say.

The vulnerabilities exploited are tracked as:

• CVE-2022-25235
• CVE-2022-25236
• CVE-2022-22784
• CVE-2022-22785
• CVE-2022-22786
• CVE-2022-22787

Tigase XMPP stanza smuggling via unescaped quotes

Also by Google’s Project Zero / Ivan Fratric:

Tigase XMPP server suffers from a security vulnerability due to not escaping double quote character when serializing parsed XML. This can be used to “smuggle” (or, if you prefer, inject) arbitrary attacker-controlled stanza in the XMPP server’s output stream. A malicious client can abuse this vulnerability to send arbitrary XMPP stanzas to another client (including the control stanzas that are only meant to be sent by the server).

Reference: https://bugs.chromium.org/p/project-zero/issues/detail?id=2275

Tweets of the month

Pwn2Own commentary of interest

Ivan Fratic (busy person) tweeted:

Four attempt against Microsoft Teams but none for Zoom, iiiiiinteresting. Also a single person targeting web browsers and no attempts against Chrome/Edge.

Referring to the Pwn2Own Vancouver 2022 event where different security researchers try to break into various targets, including video conferencing applications.

Reference: https://twitter.com/ifsecure/status/1526826742698201089

DTLS 1.3 TLDR

Robert Merget (@ic0nz1) posted a useful thread on Twitter giving his summary about DTLS 1.3, which was just published.

Reference: https://twitter.com/ic0nz1/status/1519236180348477443

Short news and commentary

• Independent public audit of Vodozemac, a native Rust reference implementation of Matrix end-to-end encryption
  • https://matrix.org/blog/2022/05/16/independent-public-audit-of-vodozemac-a-native-rust-reference-implementation-of-matrix-end-to-end-encryption
  • The audit identified 10 valid concerns, mainly related to cryptographic constructs and primitives
• Kamailio v5.6.0 released
  • https://www.kamailio.org/w/kamailio-v5-6-0-release-notes/
  • Most interesting for us is the new misctest module which is meant to help with OSS Fuzz troubleshooting

This newsletter was prepared by Sandro Gauci and the Enable Security team for the RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please do share.

To subscribe: here