April 2023: 3CX incident updates, WebRTC security and H264

April brings with it conference announcements, updates to the 3CX incident and a very interesting paper about the most popular video codec.

In this edition, we cover:

• New fuzzing of RTP codecs with SIPVicious PRO
• Details about our WebRTC security presentation for CommCon
• News about the 3CX compromise
• and much much more!

RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.

What is RTC security anyway? Real-time communications security is what determines if you can communicate in real time in a safe way - whether it be with other humans or machines.

You may sign up to receive the RTCSec newsletter here. Do:

• forward to that person who may find this newsletter particularly fruitful.
• let us know if we should include or cover any RTC security news.

To view past issues, please visit our website at https://www.rtcsec.com/newsletter.

Our news

Fuzzing more RTP codecs with SIPVicious PRO

SIPVicious PRO’s experimental build allows fuzzing of VoIP media or RTP. When we introduced this back in July 2022, we supported ulaw, alaw and opus. This gave some interesting results and uncovered crashes for our customers. Therefore we have been expanding our coverage and the next experimental release will support the following new codecs:

• GSM (gsm0610)
• G722
• G729
• G726-32

A bit of testing against real-life software shows that this is effective and important because we did find new crashes during our limited testing. We’ll be adding more, publishing some results and making this available to our SIPVicious PRO self-serve members and up. Reply to this email or get in touch for more details.

CommCon in June and our presentation about WebRTC & Video Delivery security

CommCon is a residential conference in the UK covering the open source media industry. It will take place in June this year and, for the first time, we’ll be visiting in person after having covered the online versions that happened during the pandemic. There are various interesting topics that will be covered by the different speakers but till now, it looks like our presentation is the only one that is primarily about security.

Therefore, we’re very pleased to announce our talk called: WebRTC & Video Delivery application security - what could possibly go wrong?

The synopsis is as follows:

WebRTC is often considered to be secure by default - with most security concerns being around IP address leakage which is more of a privacy issue than anything. Well, I have news for you - the applications and infrastructure that handles WebRTC can be attacked. It may indeed have various types of security vulnerabilities which are often overlooked. This presentation is based on experiences gained through security testing of WebRTC applications with anecdotal stories to illustrate the dangers. We will also take a peek at Video Delivery mechanisms such as RIST and SRT and discuss what could possibly go wrong there too!

More details:

• Details of our talk: https://2023.commcon.xyz/talks/webrtc-video-delivery-application-security-what-could-possibly-go-wrong/
• Rest of the talks at CommCon: https://2023.commcon.xyz/talks/

What’s happening?

Updates on the 3CX supply chain compromise

When we published last month’s newsletter, the 3CX incident was still unfolding. Since then, researchers continued the investigation on the incident and revealed more information.

On April 3rd, Kaspersky published a report on the incident which emphasizes that the Lazarus group as the threat actor, and reports that they found “Gopuram” Windows malware which is linked to the threat actor.

On April 11th, 3CX published the initial results from Mandiant (who they hired) in a blog post. In the blog post they mention three pieces of malware:

• TAXHAUL for persistence on Windows
• POOLRAT for MacOS
• COLDCAT for Windows

They highlight that COLDCAT is different from Gopuram. They also mention that the threat actor is UNC4736 which has a North Korean nexus.

On April 20th, Mandiant published a full detail report on the incident and said that they identified that the initial compromise vector of 3CX’s network was via malicious software (X_TRADER) downloaded from Trading Technologies website by one of the employees. The software contained VEILEDSIGNAL malware which stole the employee’s 3CX corporate credentials from his system. This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack.

So finally we can draw the steps as below:

1. Compromise of www.tradingtechnologies[.]com and distribution of compromised X_TRADER updates
2. Infecting a 3CX employee and stealing employee’s 3CX corporate credentials
3. Accessing 3CX build environments and infecting them
4. Infecting 3CX clients and users

References:

• https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/
• https://www.3cx.com/blog/news/mandiant-initial-results/
• https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise

H.264; The Most Dangerous Codec in the World?

Three researchers from the University of Texas and Oberlin College published a paper titled “The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 Decoders”. The paper begins by describing the complexity of H.264 codec which is one of the most popular video codecs:

The H.264 specification is 800 pages long—despite specifying only how to decode video, not how to encode it.

from the paper

The paper introduces H26FORGE which is a domain-specific infrastructure for analyzing, generating, and manipulating syntactically correct but semantically spec-non-compliant video files. In other words, it is a toolset consisting of a grammar-aware fuzzer for generating H.264 video files, and tools for analyzing and manipulating the files. The researchers used the tool to discover vulnerabilities in video decoder ecosystems and found the following vulnerabilities and more:

• CVE-2022-32939: Buffer overflow in AppleD5500, the video decoder driver shipped with iOS and iPadOS operating systems; causes memory corruption and kernel panic
• CVE-2022-42846: Infinite loop in AppleD5500 affected iOS and iPadOS; causes DoS and kernel panic
• CVE-2022-3266: out-of-bounds read (led Firefox GPU utility process to crash) and information leak in Firefox
• Use-after-free in FFmpeg’s libavcodec, which is used by VLC

An interesting point that the paper mentions is that Decoding video in practice means interacting with dedicated hardware accelerators and the proprietary, privileged software components used to drive them. Due to their nature, video decoders are meant to be fast. Therefore this functionality is often handled by privileged operations which means that when there are vulnerabilities, they may lead to privileged access.

The researchers also did tests on hardware decoders of a variety of Android devices and uncovered more vulnerabilities which are described in the paper.

Video and video decoding are the important components of real-time communications. A large number of VoIP solutions support H.264 codec; so this topic affects RTC security as well.

The following is a short list of VoIP software which support H.264 codec:

• Asterisk
• AudioCodes MobilityPLUS
• Ekiga
• FaceTime
• FreePBX
• Jami
• Jitsi
• Linphone
• Apple Messages
• Microsoft teams
• WhatsApp
• Zoiper

Following the researchers’ approach will most likely uncover vulnerabilities in video-communication software that could put users and companies in danger. As the paper also has mentioned, the problem is especially acute due to to the high privilege of the decoding process, usage of unsafe languages and processing untrustworthy input at the same time. This is known as “the Rule of 2”.

Based on the Rule of 2 we need to pick no more that two of the following:

• untrustworthy inputs;
• unsafe implementation language; and
• high privilege.

With H.264, we have all of these three at the same time together with complexity, which creates an extremely dangerous attack surface.

The video processing stack in Chrome violates the Rule of 2, and so do the corresponding stacks in other major browsers and in messaging apps—because the platform code for driving the video decoding hardware, on which they all depend, itself violates the Rule of 2.

from the paper

Reference: https://www.usenix.org/conference/usenixsecurity23/presentation/vasquez

OpenSIPS Summit talks about security

OpenSIPS Summit is happening on 23-26 May in the US, Houston. The following talks look interesting in particular because they cover topics important for VoIP security:

• Beyond Stir/Shaken - DNO / SPAM stat collection / Analytics Engine / Opensips Filtering by Michael Tindall - Commio
• STIR/SHAKEN Overview by Alec Fenichel - TransNexus
• Securing your OpenSIPS Deployment by Vlad Paiu - OpenSIPS project
• The Dark Side of Caller ID by Brett Nemeroff - Numeracle

Check out the schedule here: https://www.opensips.org/events/Summit-2023Houston/#schedules

Kamailio World in June and security talks

We very much look forward to Kamailio World which is happening in June. There are a few talks that we’ll keep an eye on, especially the following two:

• DDoS Attacks Are Coming For SIP: Are You Ready? by Lucas Christian, Staff Software Engineer, Twilio, USA
• Secure Access With Kamailio To Legacy PBX Systems Behind NAT by Frank Gorgas-Waller, Software Architect, Auerswald, Germany

Going through the list of talks however, makes it hard to exclude other talks which also sound really interesting, such as:

• Monitoring Kamailio with eBFP by Alexandr Dubovikov, CTO QXIP B.V., Netherlands
• How To Routes 1000s Of Trunks (Not Endpoints!) With Kamailio by Sebastian Damm, Pascom, Germany
• WebRTC At Sea by Klaus-Peter Junghanns, AhoyRTC, Germany
• Telecom Test Automation On Steroids by Andreas Granig, Founder Sipfront, Austria
• Bringing Real-Time Text To WebRTC For NG Emergency Services by Lorenzo Miniero, Co-Founder and Chairman Meetecho, Italy
• End-To-End Testing With Sipexer by Alex Balashov, Founder Evariste Systems, USA
• News about NG112/911 by Wolfgang Kampichler, Frequentis AG, Austria

All in all, we really look forward to meeting old friends and making new ones at Kamailio World. Take a look at the schedule.

Detecting SIP attacks with machine learning not SIP headers, by Intuitive Labs

Intuitive Labs’s Jiri Kuthan wrote about their observations of VoIP attacks based on their honeypots and their analysis. They use machine learning for various purposes, including to identify malicious SIP traffic from legitimate traffic. It seems that they are able to tell that a SIP packet with Cisco in the User-Agent header is actually coming from a toolset called sippts whose default user agent is pplsip. The post also includes a few interesting statistics about malicious SIP traffic.

The article can be read at https://www.linkedin.com/pulse/machine-learning-found-cisco-most-abused-brand-voip-attacks-kuthan/

Presentation about Mr. SIP PRO

Melih Tas gave a presentation at a conference called Securi-tay called “My Journey With Mr.SIP Pro:From Hobby Project To Leading VoIP Security Testing Framework”.

Can be watch on Youtube: https://www.youtube.com/watch?v=-qNJNzezrWI

New advisories for the Samsung Exynos chipset, due to SIP attacks on VoLTE

Following last month’s issue where we covered the news on Exynos Modems (chipset) vulnerabilities, we have some minor updates. Samsung Semiconductor has published some new CVEs (without details) as the following:

• CVE-2023-28613: An integer overflow in IPv4 fragment handling can occur due to insufficient parameter validation when reassembling these fragments (9.8 CRITICAL)
• CVE-2023-29085: Memory corruption can occur due to insufficient parameter validation while decoding an SIP status line (7.5 HIGH)
• CVE-2023-29086: Memory corruption can occur due to insufficient parameter validation while decoding an SIP Min-SE header (7.5 HIGH)
• CVE-2023-29087: Memory corruption can occur due to insufficient parameter validation while decoding an SIP Retry-After header (7.5 HIGH)
• CVE-2023-29088: Memory corruption can occur due to insufficient parameter validation while decoding an SIP Session-Expires header (7.5 HIGH)
• CVE-2023-29089: Memory corruption can occur due to insufficient parameter validation while decoding SIP multipart messages (7.5 HIGH)
• CVE-2023-29090: Memory corruption can occur due to insufficient parameter validation while decoding an SIP Via header (7.5 HIGH)
• CVE-2023-29091: Memory corruption can occur due to insufficient parameter validation while decoding an SIP URI (7.5 HIGH)

Reference: https://semiconductor.samsung.com/support/quality-support/product-security-updates/

Post of the month

On April 1st, as is customary, Alex Balashov published the following:

ATLANTA, GA (1 April 2023)–The Federal Ministry for Economic Affairs and Energy of Germany was forced to disclose today that it has been tasked with assessing whether Germany will be able to operate its Kamailio through the next winter.

Read the rest on Linkedin.

This newsletter was prepared by Sandro Gauci and the Enable Security team for the RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please do share.

To subscribe: here