Highlights from the past year and various security fixes

Published on Dec 22, 2022

Welcome to the last RTCSec newsletter of 2022!

In this edition, we cover:

Looking back at the past year and best wishes for the New Year
Jitsi gets verification for E2EE
OSS-Fuzz now testing PJSIP
Vulnerabilities fixed in Drachtio, BigBlueButton, Cisco IP Phones and more

RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.

What is RTC security anyway? Real-time communications security is what determines if you can communicate in real time in a safe way - whether it be with other humans or machines.

You may sign up to receive the RTCSec newsletter here. Do:

forward to that person who may find this newsletter particularly fruitful.
let me know if we should include or cover any RTC security news.

To view past issues, please visit our website at https://www.rtcsec.com/newsletter.

Our news

So long and see you in 2023!

It has been quite a good year for this newsletter. It grew from just over a hundred subscribers to almost 400. Given its niche topic, no actual advertising, this doesn’t sound too bad. We are very grateful to you, dear reader, for sharing this newsletter with your friends and colleagues who also benefit from reading its contents.

Here are some RTCSec newsletter highlights from 2022:

The WebRTC vulnerability (CVE-2022-2294) that was abused in the wild to deliver malware covered in July and September
A new WebRTC IP leak discovered and fixed
How Microsoft Teams Direct Routing can be abused in certain SBC configurations
A number of major vulnerabilities and exploitation in the wild for Mitel equipment, covered in March, May, June, July and September
For our own personal highlights, do keep reading.

We are issuing this month’s edition a bit earlier because, like most, we are going to take some time off for the next few weeks. We’ll be doing our fair share of reflecting over the past year but also very much looking forward and preparing for the next one.

Until then, we wish you all restful holidays!

Looking back at 2022 for Enable Security

It was a very busy year for us this one. Yet, we had less publications than some of the past years because our customers kept us truly busy. Most of the work that we did, naturally, we cannot talk about given the nature of penetration testing. To cater for our and our customer’s success, we have been expanding and hiring security researchers, both as part of the core team at Enable Security and specialized freelancers . As anyone doing any hiring knows, this is not easy, but we have quite some progress on that front.

That said, we did have a couple of publications that I would like to celebrate:

We have been constantly refining and developing our internal tools and knowledge that hopefully, we’ll be able to publish more of next year. In fact, we wrote a little about an internal tool called Gasoline v2 and our Attack Platform in August’s newsletter. Thanks to these improvements, we have covered a number of DDoS simulations and Penetration Testing of various targets, many SIP based, a number of APIs, messaging protocols such as SMPP and MM4, and most interestingly - our latest favourite complex beast: WebRTC. Finally, we have made consultancy a regular thing that brings us closer to our customers which is an approach that we are very comfortable with.

If you have been considering working with us for the next year, now seems like a good time as ever to get in touch.

What’s happening?

Jitsi Meet upgraded its E2EE with verification

Jitsi Meet has had end-to-end-encryption (E2EE) support since a while but until now, you could not verify the users. Thus as a participant in a call, you did not have straightforward cryptographic proof that who you’re speaking to is who they claim to be. Well, now Jitsi also has user verification. One fun part is that when doing user verification, you get to read off the names of various Emojis and confirm with the other party that that is also what they see on their screen. Then you can mark the other user as verified so that future calls do not require this fancy, but useful procedure.

It is still beta - but essentially looks exactly like Matrix’s simply because Jitsi’s developers are using the Matrix open source protocol and libraries.

Incidentally, this was something that Martin R. Albrecht and other researchers helped convince Jitsi in finally implementing. These same researchers have previously published vulnerabilities (also covered in a past RTCSec newsletter) in other E2EE chat and conferencing services like Matrix.

References:

Jitsi blog post: https://jitsi.org/blog/trust-but-verify-introducing-user-verification/
Tweet from Albrecht: https://twitter.com/martinralbrecht/status/1600241405703516160
Matrix vulnerabilities: https://nebuchadnezzar-megolm.github.io/

PJSIP adds support for OSS-Fuzz

The PJSIP project is now being tested using OSS-Fuzz thanks to a pull request by Arjun Singh.

At the time of writing, two issues have been found so far in pj_stun_msg_decode and pj_strdup:

The fuzzing engine that was used to find these issues is AFL and CVE-2022-23537 has been assigned to the overflow in the STUN message decoder.

Reference:

More Drachtio vulnerabilities fixed this month

Last month we covered two CVEs reported by Agostino Sarubbo on Drachtio, the Node.js framework for SIP server applications. This time he has reported three new vulnerabilities:

CVE-2022-47517: url_canonize2: heap-based buffer overflow in (Sofia-SIP)
CVE-2022-47516: tport_tsend: Assertion self failed (Sofia-SIP)
CVE-2022-47515: StackMsg::appendLine: long incoming message crashes server

The first two vulnerabilities were found in the Sofia-SIP fork whilst CVE-2022-47515 was found in the drachtio-server codebase.

Version 0.8.20-rc3 contains patches for these vulnerabilities.

BigBlueButton fixed various security issues of medium to low severity

BigBlueButton, the open source web conferencing system, published seven security advisories with low to medium severity rating:

DoS via failed authToken validation (CVSS3.1: 4.3) (Fixed in v2.4.3, v2.5-alpha-1)
Ineffective user bans (CVSS3.1: 4.3) (Fixed in v2.4-rc-6, v2.5-alpha-1)
Improper enforcement of moderator-only webcams setting (CVSS3.1: 4.3) (Fixed in v2.4-rc-6, v2.5-alpha-1)
Improper access control for setting emoji status (CVSS3.1: 2.7) (Fixed in v2.4-rc-6, v2.5-alpha-1)
Grace period for whiteboard permissions (CVSS3.1: 2.7) (Fixed in v2.4.3, v2.5-alpha-1)
Response leaks in anonymous polls (CVSS3.1: 5.7) (Fixed in v2.4.0, v2.5-alpha-1)
Improper access control to polling votes (CVSS3.1: 6.5) (Fixed in v2.4.0)

Most of the vulnerabilities were related to BigBlueButton’s HTML5 client project which has been developed using React and Meteor.

It’s recommended to upgrade to v2.4.3, v2.5-alpha-1 or the latest versions.

References:

Security issues in ZED-3 VoIP products

ZED-3 is a Chinese manufacturer of communication systems. A researcher by the name of Yuan Lirong has discovered three vulnerabilities in two ZED-3 appliances/devices:

VoIP simplicity
- Reflected XSS in login (CVE-2022-44235)
- Weak password (CVE-2022-44236)
Multimedia Dispatching System
- Reflected XSS in login (No CVE has been assigned)

We couldn’t find any official security advisories or patches related to these issues at the time of writing.

References:

https://github.com/liong007/Zed-3/issues

Stack overflow in Cisco IP Phone 7800 and 8800 Series

Cisco has published an advisory for an unauthenticated stack buffer overflow vulnerability in its IP Phone 7800 and 8800 Series. It is considered high severity and may lead to remote code execution. This issue was found in the Cisco Discovery Protocol (CDP), which is a proprietary networking protocol used by Cisco devices to share information such as OS version and IP addresses with other Cisco devices.

Fixes for this issue will be published in January 2023 and, while there is no workaround for this vulnerability yet, Cisco has suggested the following:

Administrators may disable Cisco Discovery Protocol on affected IP Phone 7800 and 8800 Series devices. Devices will then use LLDP for discovery of configuration data such as voice VLAN, power negotiation, and so on.

References:

Nextcloud Talk kept sending video streams after you kick someone off

Nextcloud Talk (spreed) is a Nextcloud app which brings chat, video & audio calls (using WebRTC) to Nextcloud. A vulnerability has been discovered by Daniel Calviño Sánchez which allows users to keep on receiving video streams of a call from which they have been removed.

This vulnerability affects the following versions:

12.X.X before 12.2.8
13.X.X before 13.0.10
14.X.X before 14.0.6
15.X.X before 15.0.0

To stay safe, it’s recommended to upgrade to the patched versions.

References:

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wx6w-xpg9-6fv4

Wildix fixed an SSRF vulnerability

Quoting from the Wildix changelog:

[WMS-15910] - sys: fixed a vulnerability issue with Server-side request forgery (SSRF) via the component ZohoClient.php in the WMS

Note: Manual fix was delivered by Wildix RnD to all PBXs (independently of the version). A final fix was released to the repository rel60beta in version 6.02.20221217.1

(which means that after any upgrade - the PBX will still have the secure version).

References:

This newsletter was prepared by Sandro Gauci and the Enable Security team for the RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please do share.

To subscribe: here