Skip to main content
RTC Security Newsletter

Curated VoIP and WebRTC security news, research and updates by Enable Security.

Subscribe

May 2023: RTC conferences, advisories for Cisco, Mitel, sofia-sip

Published on May 31, 2023

Welcome to the May edition of the monthly VoIP and WebRTC security newsletter!

In this edition, we cover:

  • Kamailio World in Berlin and CommCon in the UK
  • Open Source Telecom Software Survey 2023
  • Asterisk PBX and ASAN compilation
  • SIP-based vulnerabilities in Shannon Baseband vulnerabilities
  • many more

RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.

What is RTC security anyway? Real-time communications security is what determines if you can communicate in real time in a safe way - whether it be with other humans or machines.

You may sign up to receive the RTCSec newsletter here. Do:

  • forward to that person who may find this newsletter particularly fruitful.
  • let us know if we should include or cover any RTC security news.

To view past issues, please visit our website at https://www.rtcsec.com/newsletter.

Our news

Are you visiting Kamailio World or CommCon?

We’ll be in Berlin for Kamailio World and then in the UK for CommCon showing our latest research and development and learning about our favorite topics. If you’re also visiting and would like to set up a meeting, get in touch with me, Sandro by replying to this email, or LinkedIn/Twitter.

What’s happening?

Open Source Telecom Software Survey 2023

The Open Source Telecom Software Survey 2023 is now ready to be filled in! The survey is open until June 15th and should take no longer than 10 minutes. The survey covers various topics of course, including the following that have special relevance to security:

  • Cyber Security Regulations
  • Representation in RTC OSS Projects
  • Will the Enterprise desktop phone ever disappear?
  • Fraud and Identity CPaaS
  • WebRTC

And our security testing toolset - SIPVicious gets a mention in the RTC Open Source Projects section too!

We’re curious about the answers about desktop phones in part because keeping them updated with the latest security fixes can be quite a challenge. Find the link to the survey over here:

https://alanquayle.com/2023/05/open-source-telecom-software-survey-2023/

Address Sanitizer and Asterisk PBX - a bug report

Agostino Sarubbo filed a bug report for Asterisk about compilation using the Address Sanitizer. When using the sanitizer, the Asterisk process reports a heap overflow upon startup. This behavior was fixed and can be tracked here: https://github.com/asterisk/asterisk/issues/65.

Such issues are usually not exploitable by remote attackers. However, they indicate memory related problems that block security testers from actually fuzzing a project such as Asterisk. The reason is that whenever testers try to make use of ASAN (the address sanitizer), they will trigger the error and never actually be able to fuzz the project until it is fixed.

We have found similar issues in other projects and appreciate that fixing such bugs is often the first step to making any progress with a fuzzing exercise. Thanks to Agostino and the Asterisk project for addressing these issues.

Shannon Baseband vulnerabilities abusing SIP decoders by Project Zero

The advisories from Project Zero for the Shannon Baseband are now public here: https://bugs.chromium.org/p/project-zero/issues/list?q=owner%3Aifratric%40google.com%20sip&can=1.

Also, Natalie Silvanovich gave what should be a very interesting presentation. Unfortunately we did not manage to review it in time for this publication to be able to comment. The video recording can be seen on Youtube:

https://www.youtube.com/watch?v=quw8SnmMWg4

Local vulnerability in MagicJack

People who have been around VoIP since years may remember a product called MagicJack. This is a USB device that allows one to connect a traditional phone to a computer (via RJ11 input) and make VoIP calls through it.

A security researcher, Momen Eldawakhly published a blog post and exploit code showing how the device can be weaponized to deploy malicious software instead of the normal desktop application. The reason behind this is that the device contains a hidden partition on the NAND flash memory that allows write access. References:

CVE-2023-0698 - WebRTC RTCStatsCollector out of bounds memory access vulnerability

Cisco Talos published a blog post about a vulnerability that they discovered in Google Chrome’s WebRTC API. The official fix for this vulnerability was published back in February. This same vulnerability was actually discovered independently by another researcher, Cassidy Kim, who reported it before Talos - so Cassidy gets the credit in the advisories.

https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1693

Cisco SPA112 2-Port Phone Adapters critical vulnerability not getting patched

These ATA devices were quite popular back in the days. It looks like the hardware in question provides no authentication for upgrading firmware. This means that attackers who can reach the HTTP interface may upload malicious firmware to the device and use that for further attacks. The possibilities are various, from toll fraud (because such devices need SIP credentials) and spying on phone calls, to serving as a foothold into internal networks if such a device is on the Internet. Here is a handy link if anyone is interested in answering that question: https://www.shodan.io/search?query=Cisco+SPA112. At the moment, it looks like Shodan only indexed devices that have port 5060 (SIP) exposed.

The vulnerability is tracked as CVE-2023-20126 and will not be fixed since the affected devices are no longer supported.

https://thehackernews.com/2023/05/cisco-warns-of-vulnerability-in-popular.html

Debian and others fix sofia-sip vulnerabilities from last year

Debian have fixed their sofia-sip package for vulnerabilities tracked as the following CVEs:

  • CVE-2022-31001
  • CVE-2022-31002
  • CVE-2022-31003
  • CVE-2022-47516
  • CVE-2023-22741

These vulnerabilities were originally fixed in the official software back last year and earlier this year.

One (obvious, in hindsight) thing that we have noticed is that in many cases, VoIP software security patches lag behind by quite a bit when it comes to official Linux Distro packages. Vulnerability tracking is hard!

Reference: https://www.debian.org/security/2023/dsa-5410

Mitel MiVoice Connect advisories released

A variety of vulnerabilities were fixed in the Mitel MiVoice Connect products. Here’s the list:

  • MiVoice Connect Mobility Router Command Injection Vulnerability (CVE-2023-31460)
  • MiVoice Connect Mobility Router Default Password Vulnerability (CVE-2023-31459)
  • MiVoice Connect Default Password Vulnerability (CVE-2023-31458)
  • MiVoice Connect Improper Access Control Vulnerability (CVE-2023-31457, CVE-2023-32748)
  • MiVoice Connect Reflected Cross-site Scripting Vulnerability (CVE-2023-25599)

There was also a vulnerability fixed in MiCollab:

  • MiCollab Authentication Vulnerability (CVE-2023-25598)

Advisories can be found at the usual place: https://www.mitel.com/support/security-advisories

sofia-sip overflows in the STUN parser

New vulnerabilities have been fixed in the stun_parse_attr_error_code and stun_parse_attr_uint32 functions within sofia-sip. Read the full advisory here:

https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-rm4c-ccvf-ff9c

This newsletter was prepared by Sandro Gauci and the Enable Security team for the RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please do share.

To subscribe: here