Welcome to the September edition of the VoIP and WebRTC security newsletter, RTCSec news!

In this edition, we cover:

• our news, including the WebRTC & Video Delivery presentation we gave at CommCon, OpenSIPIt and our Attack Platform
• security fixes in FreeSWITCH, OpenScape, Stormshield and DLINK phones
• GPRS Tunneling Protocol user-plane (GTP-U) abuse, Signal upgraded for quantum computing and SBOMs

RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.

What is RTC security anyway? Real-time communications security is what determines if you can communicate in real time in a safe way - whether it be with other humans or machines.

You may sign up to receive the RTCSec newsletter here. Do:

• forward to that person who may find this newsletter particularly fruitful.
• let us know if we should include or cover any RTC security news.

To view past issues, please visit our website at https://www.rtcsec.com/newsletter.

Our news

WebRTC & Video Delivery application security - what could possibly go wrong?

Our presentation for CommCon 2023 is finally public! Here’s the synopsis:

WebRTC is often considered to be secure by default - with most security concerns being around IP address leakage which is more of a privacy issue than anything. Well, I have news for you - the applications and infrastructure that handles WebRTC can be attacked. It may indeed have various types of security vulnerabilities which are often overlooked. This presentation is based on experiences gained through security testing of WebRTC applications with anecdotal stories to illustrate the dangers. We will also take a peek at Video Delivery mechanisms such as RIST and SRT and discuss what could possibly go wrong there too!

With regards to video delivery, we actually took a look at the WISH/WHIP protocol which resulted in some interesting potential vulnerabilities which we described back in June.

Give it a watch at https://www.youtube.com/watch?v=UkB-edcyk8I.

Security consultancy for your RTC projects

If you are using open-source software such as OpenSIPS, Kamailio, FreeSWITCH or Asterisk to build custom solutions, you may need security consultancy. Or you may need help with security testing of some VoIP or WebRTC features or components. That is why we offer consultancy services.

OpenSIPIt'03 covered SIPREC, STIR/SHAKEN, DTLS, performance and security

OpenSIPIt'03, the interoperability testing event, happened during the week of 18th September and the attending opensource developers were very engaged. In fact some of the tests went beyond the initial 3 days that were originally planned for the event.

On the initial day, there were some presentations about what was planned by each attendee which can be seen on the Youtube stream. You’ll find the following:

• STIR/SHAKEN by Liviu
• SIPREC by Razvan
• Performance by Flavio
• DTLS/SRTP by Maxim

We also had a presentation which starts after 1h and 40 minutes which can be seen on the stream at 5990s. We discussed:

• what we can test which included some basic standard fuzzing tests to do with RTP, including fuzzing of various codecs and SIP fuzzing
• gave some ideas of ad-hoc tests that we could do covering SIPREC, DTLS DoS and STIR/SHAKEN fuzzing or security testing
• introduced our Attack Platform and gave the developers access for the first time (next topic)

The OpenSIPIt event is always a valuable opportunity to learn from others and to improve and expand our security coverage, even if we could not participate as much as we wanted this time. We are excited for the next one!

Attack Platform sneak preview at OpenSIPIt

During OpenSIPIt'03 we described the Attack Platform and gave the attending developers access so that they could run some tests on their software. We explained that often we need to share security tests with others (our clients) and allow them to consistently do the same tests over and over again. Additionally, we often need to distribute certain security tests - especially for DDoS resilience testing of course. And finally, it is valuable to be able to run tests automatically, on schedule, or manually by our clients.

The Attack Platform is our answer to all of these problems. It can be summarized as infrastructure and security tools prepared by Enable Security. If you’d like to watch the talk and demos with the Attack Platform, it is all on the Youtube stream at 6381s.

What’s happening?

Two FreeSWITCH security fixes

The FreeSWITCH project has addressed two security vulnerabilities this month. Both security reports are credited to Andrey Volk, while Giacomo Vacca is also credited for one of the vulnerabilities. Both developers are working at SignalWire, the main sponsor of FreeSWITCH.

What was fixed?

1. FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names - CVE-2023-40019
2. FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID - CVE-2023-40018

Both are listed as potentially leading to memory/stack corruption, which results in undefined behavior, or a crash.

It is great to see open source developers discovering and self-reporting vulnerabilities in this way, with excellent advisory content and prompt security fixes. Congratulations to the FreeSWITCH team!

Pentesting in 2024? (advert)

We would love to hear from you if you are interested in our services for the next year. You can reach us by replying to this newsletter or by visiting our contact page. Since we have no availability left for Q4, this is a great opportunity to start a conversation!

Other vulnerabilities

• Authenticated Remote Code Execution and Missing Authentication in Atos Unify OpenScape
  • https://sec-consult.com/vulnerability-lab/advisory/authenticated-remote-code-execution-missing-authentication-atos-unify-openscape/
  • The OpenScape VoIP products were fixed for two vulnerabilities reported by SEC Consult. One of the vulnerabilities allows for remote code execution through internal functions that are available to low privileged users on the platform. The second one involves a number of PHP scripts that run administrative functions without any authentication. The vulnerabilities were assigned the following CVEs: CVE-2023-36618, CVE-2023-36619
• Crashes in Stormshield Network Security when parsing specially crafted SIP (CVE-2023-26095)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26095
  • Sounds like someone did a bit of SIP fuzzing. Not many details are provided for this except the following:

    ASQ in Stormshield Network Security (SNS) 4.3.15 before 4.3.16 and 4.6.x before 4.6.3 allows a crash when analysing a crafted SIP packet.

• DLINK DPH-400SE VoIP Phone advisory
  • https://hackmd.io/@tahaafarooq/dlink-dph-400se-cwe-200
  • The guest user (with the default password guest) can access administrative passwords for the phone from the web interface.

Short news and commentary

• Attacks on 5G Infrastructure From Users’ Devices
  • https://www.trendmicro.com/en_us/research/23/i/attacks-on-5g-infrastructure-from-users-devices.html
  • An article by Trend Micro about GTP-U exposure and abuse. GTP-U is a tunneling protocol and the article explains how a malicious GTP-U in a normal GTP-U could lead to a successful denial of service on internal critical software that relies on Open5GS.
• Quantum Resistance and the Signal Protocol
  • https://signal.org/blog/pqxdh/
  • Signal has started using a new protocol called PQXDH which is meant to be resistant to quantum computer cryptographic attacks
• Kamailio mailing list: Software bill of materials (SBOM)
  • https://lists.kamailio.org/mailman3/hyperkitty/list/sr-users@lists.kamailio.org/thread/URHZCQTDAA5HTKFLEX3PUDGDQ6UNORFK/
  • There is an interesting mailing list thread right now on SBOM in relation to Kamailio. Olle E. Johansson, who has been doing some work in the area of SBOMs, highlighted the fact that C code doesn’t have package management like Python, Perl, Go and others so it’s tricky to automate creation of SBOMs.
• Michal Zalewski is not a fan of SBOMs
  • https://twitter.com/lcamtuf/status/1684743490943725569
  • lcamtuf listed his concerns around using SBOMs for vulnerability response. Valid concerns that are worth thinking about:
    • majority of dependencies are not security-relevant; thus generating false positives
    • SBOM compilation has limitations; you cannot ignore a vulnerability just because it doesn’t show up on your SBOM
    • and more!

This newsletter was prepared by Sandro Gauci and the Enable Security team for the RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please do share.

To subscribe: here