Fresh new year, fresh VoIP and WebRTC security news! Welcome to this newsletter, write back if you find it useful.
In this edition, we cover:
- TLS key logs, Kamailio and security tools
- Chromium’s WebRTC vulnerability CVE-2023-7024
- The usual warning about SIP ALG
- Critical vulnerabilities fixed in Cisco’s Unified Communications products
RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.
What is RTC security anyway? Real-time communications security is what determines if you can safely communicate in real time - whether it be with other humans or machines.
You may sign up to receive the RTCSec newsletter here. If you like what we’re doing, you’re most welcome to:
- forward to those that may find this newsletter particularly fruitful.
- let us know if we should include or cover any RTC security news.
To view past issues, please visit our website at https://www.rtcsec.com/newsletter.
Our news
Penetration testing or security assessment in 2024?
If you’re subscribed to this newsletter, chances are you’re also thinking about pentesting your VoIP/WebRTC products and services in 2024.
At the moment we’re working on filling our work schedule for Q2 2024. If you’d like to be included in our thoughts, reply to me or contact us.
What’s happening?
Did you know that you can log TLS keys in Kamailio?
This last month there was a thread on the Kamailio users mailing list called SSL key logger for Diffie-Hellman cipher where the author asked specifically about using LD_PRELOAD to create a TLS (or SSL) key log.
This is something that is very useful when debugging encrypted connections. A TLS keylog allows debugging tools that work at packet level, such as Wireshark, to actually decrypt encrypted traffic. It is something supported by most web browsers and many of our internal security tools (e.g. SIPVicious PRO) tend to support this feature too.
Based on the mailing list post, it turns out that the voipmonitor project has a tool called ssl_keylogger that uses the LD_PRELOAD method to dump keys from servers such as Kamailio and pass them to voipmonitor.
From the same email thread, we also learned that there was a pull request in the Kamailio project that would also allow exporting of session keys, without needing to use the LD_PRELOAD method. This PR wasn’t accepted into the project due to potential concurrency problems but seems like a good starting point if anyone wants to do this directly in Kamailio.
Google Chromium WebRTC Heap Buffer Overflow Vulnerability warning and analysis - CVE-2023-7024
The US Cybersecurity infrastructure and security agency (CISA) added the WebRTC heap overflow vulnerability tracked as CVE-2023-7024 to its list of actively exploited vulnerabilities. This was added on 2nd January, while Alisa Esage of Zero Day Engineering published an analysis on December 25th.
In her analysis, she explained that this is Chromium-specific - which means that it should only affect browsers based on Chromium (of which there are plenty) but not browsers that simply use the WebRTC library. The researcher also indicated that this vulnerability on its own is normally not enough to gain remote code execution on vulnerable web browsers. Instead, it needs to be used in combination with other bugs that allow for memory disclosure as well as escape browser or application sandbox.
Browsers that were patched against this vulnerability include Google Chrome, Microsoft Edge, Brave, Opera and the Electron framework.
Other reports covering this vulnerability simply regurgitate what Google has written in their limited advisory and make assumptions that seem incorrect after reviewing Zero Day Engineering’s quick analysis. With the constant stream of CVEs and security fixes without much technical details being published, the work by Zero Day Engineering is refreshing if you’re trying to understand the impact of a vulnerability.
Junos OS SIP ALG vulnerability fixed - CVE-2024-21616
This is not the first vulnerability to be fixed in the SIP packet parser for the SIP ALG functionality of the Junos OS. It probably will not be the last - but fuzzing may help the vendor eliminate some of these issues. This vulnerability leads to denial of service when exploited using a specific SIP packet.
Details can be found at the security bulletin from Juniper. Our previous coverage of similar issues in Junos can be found in the January 2023 edition of the RTCSec newsletter.
Reminder: in order to reduce your attack surface, we often suggest that SIP ALG functionality is switched off unless absolutely required.
Malicious code in webrtc-studio-connection (npm)
If you work with WebRTC and node or JavaScript, you might have come across a package called webrtc-studio-connection. It turns out that it is a malicious package according to the Github advisory.
Socket.dev have an advisory and a public copy of this package and the contents look very much like something from a web application security scanner instead of actual useful developer code.
Critical vulnerabilities in Cisco Unified Communications solutions - CVE-2024-20253 / CVE-2024-20272
CVE-2024-20253 tracks a vulnerability in Cisco’s unified communications solutions:
- Unified Communications Manager
- Unified Communications Manager IM & Presence Service
- Unified Communications Manager Session Management Edition
- Unified Contact Center Express
- Unity Connection
- Virtualized Voice Browser
The vendor gave it a CVSS severity rating of 9.9 because:
A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user. With access to the underlying operating system, the attacker could also establish root access on the affected device.
Vulnerability was reported by Julien Egloff from Synacktiv who also released an advisory and report. The report from Julien actually lists 4 different security issues or vulnerabilities. Out of these 4, it seems that only the first one, arbitrary Java object deserialization through an unauthenticated service that can lead to remote code execution, was addressed. The rest of the vulnerabilities are privilege escalation vulnerabilities.
Another vulnerability, tracked as CVE-2024-20272 was fixed in Cisco Unity Connection that gets a CVSS severity base score of 7.3. Reported to Cisco by Maxim Suslov, this one also allows for unauthenticated remote code execution and privilege escalation to root.
CCC Congress 2023 - 37c3 - talks of interest for the RTCSec crowd
The CCC Congress took place in Hamburg, Germany during the end of 2023 and, as always, had a number of talks that are of interest. The following two touch a nerve when it comes to RTC security:
- RFC 9420 or how to scale end-to-end encryption with Messaging Layer Security, which is a new RFC that addresses E2EE on a large scale and competes with protocols such as Matrix, Signal and its derivatives
- Finding Vulnerabilities in Internet-Connected Devices, about breaking the security of Poly VoIP devices and how they identified 7 vulnerabilities some of lead to full remote compromise
This newsletter was prepared by Sandro Gauci and the Enable Security team for the RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please do share.
To subscribe: here