Welcome to the July edition of the RTC security newsletter! For this month, we brought back the short news section making this edition a bit shorter than usual. Do you prefer the longer form or is this more to your liking?
In this edition, we cover:
- Our own recent presentation about the VoIP and WebRTC application attack surface
- Booking us for your pentest this year and our involvement with the upcoming OpenSIPIt
- DDoS threat report and VoIP
- SentryPeer news, STIR/SHAKEN problems and malware using RTC!
- Various VoIP or WebRTC vulnerabilities that were fixed in the past month
RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.
What is RTC security anyway? Real-time communications security is what determines if you can communicate in real time in a safe way - whether it be with other humans or machines.
You may sign up to receive the RTCSec newsletter here. Do:
- forward to that person who may find this newsletter particularly fruitful.
- let us know if we should include or cover any RTC security news.
To view past issues, please visit our website at https://www.rtcsec.com/newsletter.
Our news
Our presentation at Bloomberg RTC Summit about VoIP and WebRTC attack surface
I gave a new presentation about the VoIP and WebRTC attack surface at a private conference at Bloomberg called RTC Summit. The presentation is meant to give an overview of the vulnerabilities that may affect real-time communications infrastructure. We also included a number of specific security vulnerability explanations and demonstrations by diving into the following security issues:
- OpenSSL Infinite Loop Vulnerability CVE-2022-0778 and how it affected WebRTC
- RTP proxy vulnerabilities which includes RTP Inject and RTP Bleed
- Attacks on media servers that record or do transcoding - RTP Flood
- TURN relay abuse and vulnerabilities in coturn that bypassed its security restrictions
- SIP INVITE flood for Websocket SIP servers
Thanks to Dhananjay Deshpande and his colleagues at Bloomberg’s RTC team for the opportunity!
Pentesting in 2023? (advert)
If you’re planning on using our services this year, please get in touch by responding to this newsletter or through our contact page. We still have some availability in Q3 but that will be gone very soon. If you need pentesting in Q4, now is an excellent time to start discussions!
Next OpenSIPIt'03 is being planned!
We will be participating in the next OpenSIPIt'03 event which will happen around mid-September 2023. We’ll be doing (D)DoS testing and fuzzing as well as playing with anything new that comes along.
What is OpenSIPIt anyway?
OpenSIPIt is a community-driven interoperability testing event with the aim of ensuring various independent open-source SIP implementations are realizing new and emerging SIP-related RFCs correctly , while remaining fully and easily interoperable at the “basic SIP” level.
Check out Maksym Sobolyev’s announcement on twitter.
What’s happening?
Cloudflare DDoS threat report Q2 mentions VoIP
The second Cloudflare threat report for 2023 was released in July. The following might be the most relevant notes for the audience of this newsletter :
- Mitel MiCollab phone systems are being abused for UDP amplification used in DDoS attacks (CVE-2022-26143)
- a 15% increase in HTTP DDoS attacks was observed including more sophisticated attacks simulating browser behavior
- some large VoIP provider was affected by the attacks of cyber-criminals; does anyone have any further information on this?
- Teamspeak, which is actually a proprietary VoIP service, was also mentioned because Cloudflare started seeing DDoS attacks abusing the TeamSpeak3 protocol
SentryPeer released
This month, Gavin Henry released SentryPeer which helps prevent VoIP attacks and toll fraud. It does this by providing APIs that allow users to query for phone numbers or IP addresses. Specifically, the APIs are able to tell if a phone number is considered fraudulent or if a source IP is a known attacker address. It does this by relying on the SentryPeer honeypots that are crowd-sourced and feed in this data.
The service has a business model and is also available for free for those that contribute data through their own SentryPeer honeypots. It is open source and quite an interesting initiative.
Similar note-worthy efforts that come to mind and are also part of the RTC security community are:
STIR/SHAKEN certificate compliance
This one came from the Bulletproof TLS Newsletter (which we highly recommend):
Martini Security filed a notice with the FCC in the US about widespread noncompliance issues with the STIR/SHAKEN certificates.
A large number (almost half) of the leaf certificates used in the STIR/SHAKEN CA ecosystem actually seem to be expired. More interesting numbers and statistics are to be found in the website put up by Martini Security (who are in the business of certificate issuance).
Vishing with “Letscall” using VoIP and WebRTC
Threat Fabric released a report about Android malware targeting individuals from South Korea. What is interesting is that it acts as a voice traffic router by redirecting incoming and outgoing calls. Depending on how the malware is configured, it might redirect the calls to a call center controlled by the criminals. To do this, the mobile application makes use of VoIP and WebRTC and abuses the legitimate service ZEGOCLOUD.
Various WebRTC vulnerabilities fixed in Firefox and Chromium
Google Chrome, Microsoft Edge Chromium and everything in between fixed two user-after-free vulnerabilities in WebRTC. These are tracked as CVE-2023-3727 and CVE-2023-3728 and the reporters, Cassidy Kim and Zhenghang Xiao, were rewarded a 7000 USD bounty each for their work.
In the meantime, Mozilla Firefox also fixed a vulnerability with the title of Use-after-free in WebRTC certificate generation. It is tracked as CVE-2023-37201 and has been reported by Irvan Kurniawan.
The description from Mozilla says the following:
An attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS.
No further details were published as of yet and it is not clear if the vulnerabilities in Firefox and the ones in Chromium are related or not.
Short news and commentary
- Kevin Mitnick is no longer with us; his life was an inspiration to me in the 90s
- Huge spike in REGISTER traffic attacking SIP servers, many coming from Ingate Separator SBC
- Fred Posner posted on Linkedin about traffic involving open SIP proxy abuse, that is being seen on the honeypots
- APIBAN naturally blocks the IPs for the SBCs that are being abused and similar traffic
- This points back to Ivan’s blog post which we covered last month about the topic
- QuickBlox SDK and API vulnerabilities
- QuickBlox creates a framework for chat and video applications in critical industries such as finance and telemedicine. Claroty Team82 and Check Point Research looked into their SDK and APIs and found a number of security vulnerabilities.
- STUN heap overflow that affected pjsip finally fixed in Asterisk too
- The Asterisk project seems to have just moved their security reporting workflow to Github, which is progress and a good thing!
- We know because they also released an advisory (GHSA-4xjp-22g4-9fxm) and a new Asterisk version which fixes vulnerabilities in pjsip. These vulnerabilities affect vulnerable versions of Asterisk when ICE and/or WebRTC is enabled.
- The original vulnerabilities in pjsip were fixed back in December 2022.
- Apache OpenMeetings critical vulnerabilities fixed
- Sonar Source published a blog post by Stefan Schiller about vulnerabilities that they found in OpenMeetings. They discovered the following vulnerabilities:
- CVE-2023-28936: Weak Hash Comparison
- CVE-2023-29032: Unrestricted Access via Invitation Hash
- CVE-2023-29246: Null-Byte Injection
- When chained, these vulnerabilities allow a self-registered user (enabled by default) to take over an administrative account and then gain remote code execution.
- Sonar Source published a blog post by Stefan Schiller about vulnerabilities that they found in OpenMeetings. They discovered the following vulnerabilities:
Tweet of the month
Charles M. Ishihara (@n_o_t_h_a_n_k_s) posted:
Hi @Sangoma @LorneGaetz - I’ve sent you several vulnerability-disclosure-related emails over the past couple months. Can someone reply please? Thanks!
More people replied to Charles’ tweet saying that they had a similar experience with Sangoma. We’re told that there will be public disclosure and a talk about this at Defcon in August. We’ll probably be covering that.
This newsletter was prepared by Sandro Gauci and the Enable Security team for the RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please do share.
To subscribe: here