The sun is shining (at least on this part of the hemisphere), new exploits and builds are published and everything is good. Welcome to the June edition of RTCSec!
In this edition, we cover:
- Our news: presenting at TADSummit in November and releasing two new SIPVicious PRO versions
- The Open-Source Telecom Software Survey which needs filling up
- Ransomware attacks using Mitel’s VoIP appliances as an entry-point
- Carrier related issues, including Syniverse compromise and call forwarding trick
- Vulnerabilities that were fixed in Sofia-SIP (FreeSWITCH), pjsip, Mitel phones and VitalPBX
- and much much more
RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.
What is RTC security anyway? Real-time communications security is what determines if you can communicate in real time in a safe way - whether it be with other humans or machines.
You may sign up to receive the RTCSec newsletter here. Do:
- forward to that person who may find this newsletter particularly fruitful.
- let me know if we should include or cover any RTC security news.
To view past issues, please visit our website at https://www.rtcsec.com/newsletter.
TADSummit 2022 happening in Portugal and we’re presenting
It looks like there will be a TADSummit in November at an actual physical location and of course, online. This will cover a number of industry topics, including the topic of this very newsletter - RTC (or telecommunications) security. On that subject, there will be a talk about Identity in programmable communications, robocalls and DDoS workshop that Alan Quayle and myself (Sandro Gauci) will be facilitating.
I’ll also be giving a new talk called “How to bring down your own RTC platform. Running DDoS simulations on your own.” - where I’ll essentially be giving out guidance on how replace us!
Experimental SIPVicious PRO build now includes STIR/SHAKEN support, and 5 new tools
We just made two builds available to our SIPVicious PRO members. One is called the stable build, while the other is the experimental build. Naturally, the stable build is the one that contains the boring updates. These are some of the updates made:
- Opus default is now using the rate 48000 which fixes an incorrect default
- SRTP-DTLS supported throughout all the tools that speak RTP
- Support for SHA in the SIP password cracker
- SIP DoS flood tool was missing debugging functionality, i.e. the
tls-key-logflags were not wired up
- Lots of stability fixes - thanks in part, to fuzzing our own fuzzers and tools and bug reports from our dear members
Anyway, who cares about stability? (we do)
The experimental version is where the excitement is. Our members now have access to 5 new tools and a number of enhancements that we find useful in our work:
- new tools:
- RTP fuzzer
- SIP STIR/SHAKEN fuzzer
- SIP Iterator utility
- TCP flood tool
- SIP server for fuzzing
- STIR/SHAKEN flooding support in
sip dos flood
- STIR/SHAKEN support in
sip utils call
- support for multiple source IPs for
sip dos flood
- STIR/SHAKEN flooding support in
Full details of what is new can be read at the release notes page.
On top of that, the SIPVicious documentation site is refreshed and updated to match the bold color scheme and design that we adopted here at Enable Security. And it separates the stable and experimental tool documentation since some of the same tools may behave differently depending on the build. Check it out at https://docs.sipvicious.pro.
Security consultancy (sponsored)
If you are automating your security tests, perhaps even using SIPVicious, we are here to help. See our consultancy page here: https://www.enablesecurity.com/consultancy.
Open-Source Telecom Software Survey for 2022 is on
Dear readers and friends, it is time to fill up that Open-Source Telecom Survey (by Alan Quayle)! Stop reading and click here.
Why? Because understanding trends helps the community learn where the gaps are and what works. This time it covers important topics of interest to the audience of this newsletter, especially DDoS, security testing, defensive techniques and mechanisms and .. STIR/SHAKEN. Also, if you were tired of all the security questions in last year’s questionnaire, you’ll be delighted to learn that yours truly gave the security related questions a much needed haircut.
What is also quite nice is that Alan shares the results of the survey with those who complete it as soon as they’re available, and presents them at the TADSummit which is happening in November later this year. So if you are involved in open-source communications, keep an eye on this topic.
Mitel VoIP appliances used in ransomware attack
Mitel have not been very lucky lately with the security news. The latest involves abuse of a zero-day exploit - CVE-2022-29499 - in a ransomware attack as detailed by Crowdstrike. Essentially, the vulnerable VoIP applications are MiVoice Connect appliances (SA 100, SA 400 and Virtual SA). The blog post by Crowdstrike does a very good job detailing the results of their forensics investigation and indicates that the vulnerable MiVoice Connect appliance in question was used as the entry-point into an organisation’s network.
The vulnerabilities exploited in the Mitel appliance were related to the web interface and problematic PHP application code.
Syniverse (Vodafone supplier) compromised since May 2016
This one seems like a big deal considering the sort of access that is required to provide services provided by the allegedly compromised company, Syniverse. They are essentially a CPaaS, providing connectivity to mobile operators globally.
Call forwarding “trick” allows for Whatsapp account hijack
This article is about a trick posted by Rahul Sasi (of CloudSEK) which can be used to hijack Whatsapp accounts. Summarized, it goes like this:
- Adversary social engineers victim into calling the MMI codes to forward all calls to a phone number controlled by adversary
- Adversary starts Whatsapp registration process to register as victim’s phone number
- Adversary chooses voice as verification method (instead of SMS)
- Adversary hijacks victim’s Whatsapp account
This is one of those few times where security people are highlighting the problems of voice calls for authentication, instead of SMS OTP (see the Syniverse coverage). Also, this seems to be a very old-school attack that is being applied to Whatsapp authentication. But really, being able to cause all calls to be forwarded to a different number introduces many other problems for the victims. MMI codes are relatively obscure to most people these days, yet still there.
It got me thinking, would anyone miss them if they were gone?
Discord as a financial messenger - what could go wrong?
Vice published an interesting article which talks about privacy issues within Discord and how its threat model focuses on gamers and certainly not crypto-trading and crypto related projects. However, it seems that the crypto people have a soft spot for Discord and are making the wrong assumptions as to its security and privacy features.
One of the main claims that the Discord API appears to leak the name, description, members list and activity data of every private channel on every server. The article mentions a number of other issues and caveats and is worth a read if you’re interested in large platforms of the sort.
Metasploit 6.2 released which adds a SIP capture module
In the Metasploit 6.2 announcement, there was mention of a new capture plugin that has support to capture SIP authentication. The same plugin captures many other protocols too, most typically NTLM, and SMTP, Telnet, FTP, and so on.
Here’s the description of the module:
This module provides a fake SIP service that is designed to capture authentication credentials. It captures challenge and response pairs that can be supplied to Cain or JtR for cracking.
Nessus adds a Cisco IOS-XE destination pattern bypass module
The vulnerability scanner, Nessus has a new module that detects a Cisco IOS vulnerability that leads to toll fraud when abused. Description of the module:
A vulnerability in the Voice Telephony Service Provider (VTSP) service of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass configured destination patterns and dial arbitrary numbers.
This vulnerability is due to insufficient validation of dial strings at Foreign Exchange Office (FXO) interfaces. An attacker could exploit this vulnerability by sending a malformed dial string to an affected device via either the ISDN protocol or SIP. A successful exploit could allow the attacker to conduct toll fraud, resulting in unexpected financial impact to affected customers.
The check from Nessus relies on detecting the version of the Cisco IOS-XE so it does not seem to be actually demonstrating the vulnerability. The patch has been available since September 2021.
Vulnerabilities of the month
C0ss4ck still at it with FreeSWITCH (Sofia-SIP) and pjsip vulnerability reports
We have covered the work of C0ss4ck from Bytedance Wuheng Lab before and this month, this security researcher has gotten more vulnerabilites fixed in VoIP software based on Sofia-SIP (especially FreeSWITCH) and PJSIP. Check out the advisories below:
- CVE-2022-31031 - STUN handling in PJSIP buffer overflow fix
- CVE-2022-31001 - an out-of-bound read in
sip_method_d- leads to a crash
- CVE-2022-31002 - an out-of-bound read in
url_canonize2- also leads to a crash
- CVE-2022-31003 - a head-overflow in
sdp_parse- guess what it leads to? Yes a crash but maybe it could also be exploitable to get remote code execution
Mitel phones had a backdoor when booted into special mode
Researchers from the security firm Syss have reported vulnerabilities in Mitel phones (6900 Series) that allow attackers with physical access to gain root access to the phone. This is related to the phone starting a telnet backdoor when booting up while pressing the
# keys on the phone. It is tracked as two CVEs:
Further information here:
VitalPBX missing access control vulnerability
This one is tracked as CVE-2022-29330 with the following description:
Missing access control in the backup system of Telesoft VitalPBX before 3.2.1 allows attackers to access the PJSIP and SIP extension credentials, cryptographic keys and voicemails files via unspecified vectors.
Blog post by Corinne Henin & Thibaut Henin of Arsouyes about the vulnerability: https://www.arsouyes.org/en/blog/2022/2022-06-30-VitalPBX-0day.
Tweet of the month
We keep promoting Tim Panton’s tweets because they can pack a punch. Here’s one about the Syniverse intrusion:
This is fascinating - afaik all 2FA sms’s go via Syniverse - so this hack could have compromised any target using sms 2FA - especially ones who were roaming off their home network.
You know that number validation SMS you got when you signed up with Signal ? - It almost certainly went through Syniverse. Does it matter? Probably not, but perhaps it does, depending on your theat model.
Short news and commentary
- China state sponsored attackers targeting Telcos / network providers - joint advisory from the NSA, CISA and FBI
- Jitsi: A stepping stone towards end-to-end encryption on mobile
- Saul Ibarra Corretge of Jisti wrote about the next steps to getting Jitsi to use E2EE fully, not only for the webapp but also the mobile versions
This newsletter was prepared by Sandro Gauci and the Enable Security team for the RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please do share.
To subscribe: here