WebRTC attacks, FOSDEM'23 and security fixes

Welcome to the February 2023 edition of RTCSec newsletter. If you are reading this on your email client, you might notice slight formatting changes - the red color of the Communication Breakdown blog and the mascot on the side. Hope that this makes it more distinguishable. Do let me know if you have feedback, by replying to this email.

In this edition, we cover:

• A chat with Arin Sime of WebRTC.Ventures about the WebRTC infrastructure attacks
• A glimpse of SIPVicious PRO running on an Android phone
• Our review of FOSDEM'23 talks of interest to the RTCSec audience
• Various security reports involving FreePBX, FreeSWITCH, Chromium, BIG-IP and Oracle’s WebRTC session controller

RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.

What is RTC security anyway? Real-time communications security is what determines if you can communicate in real time in a safe way - whether it be with other humans or machines.

You may sign up to receive the RTCSec newsletter here. Do:

• forward to that person who may find this newsletter particularly fruitful.
• let me know if we should include or cover any RTC security news.

To view past issues, please visit our website at https://www.enablesecurity.com/newsletter/.

Our news

Webinar about WebRTC infrastructure attacks

I was invited on WebRTC Live by WebRTC.ventures to talk about the WebRTC infrastructure vulnerabilities. I started by presenting a mind-map of the attack surface, showing the different parts of the infrastructure that may be attacked and each individual attack that might apply. Then I did a quick demo showing how WebRTC signalling servers might be attacked to cause denial of service. For that, I used our Attack Platform. Finally told the story so far about the TURN relay abuse vulnerability that affected a number of WebRTC platforms, how we found it, reported it to various companies and what happened next.

Watch the video here: https://www.youtube.com/watch?v=qlQJuyp7nS8

SIPVicious PRO on Android phones: a quick demo

We have a short video showing SIPVicious PRO running on an Android test phone in our lab. This may be useful when doing security testing or penetration testing on IMS (IP Multimedia Subsystem) targets, for example in a VoLTE environment.

The video is called First glimpse of SIPVicious PRO running on Android and it can be enjoyed here: https://www.youtube.com/watch?v=TjeazO1i8mQ.

What’s happening?

FOSDEM'23 talks of interest

The open source conference happened on 4 & 5 February 2023. Unfortunately we were not able to attend but we still kept an eye out for interesting talks. Here is our quick review of talks that looked relevant to this newsletter’s audience. Do get in touch if we missed anything that you think should be covered or at least mentioned!

Modernizing Authentication and Authorization in XMPP

This presentation by Matthew Wild covers XMPP authentication, starting with a great introduction to the topic in general. Then he describes the new authentication mechanism for XMPP called FAST, which stands for Fast Authentication Streamlining Tokens. This allows the use of things like WebAuthn, FIDO2 and Passkeys for authenticating to your XMPP account, bringing XMPP authentication up to date.

Watch the presentation: https://fosdem.org/2023/schedule/event/modern_xmpp_auth/

Secure payments over VoIP calls in the cloud

This is a talk by Nuno M Reis on how Talkdesk achieved PCI compliance with Open Source VoIP software - Kamailio and RTPEngine. He talked about how the proprietary solutions were difficult to work with, in contrast to using Open Source. This is an excellent presentation about designing and hardening a VoIP solution and limiting its security exposure. What I like about this is that, by choosing the right software and architecture, they seem to have obtained the level of control that was needed to certify their VoIP platform.

The last slide in this presentation was about the certification audit results which said pentests passed flawlessly; this of course made me smile. He did explain that while with the previous proprietary solution had various open issues (vulnerabilities), with the open-source solution this was no longer a problem.

This reflects our own personal experience where we were for some time testing the security of a proprietary VoiceXML solution that was meant to be PCI complaint. This had major security issues such as default passwords on administrative interfaces, and keeping such a system up to date with the latest security patches was described as a nightmare by the engineers!

One thing that I should mention is that PCI Penetration Testing is often extremely limited in scope and most security testers doing PCI pentesting are likely to simply look for vulnerabilities that are either detected by vulnerability scanners or web application security issues. Thus they are likely to miss VoIP-specific vulnerabilities through this approach.

Watch the presentation: https://fosdem.org/2023/schedule/event/secure_voip_payments/

Talks of interest at FOSDEM on robustness, availability and denial of service (DoS)

• Performance optimization for VoIP services, Henning Westerholt
  • The video for this presentation is not online but the slides are. This talk gives some useful tips and hints as to what to avoid and how to address performance issues in VoIP servers (Kamailio).
  • https://fosdem.org/2023/schedule/event/jitsi_p10k/
  • https://skalatan.de/en/archive/presentations/fosdem-2023-presentation.pdf
• P10K: getting 10000 participants into a Jitsi meeting, Saúl Ibarra Corretgé
  • Tricks about how Jitsi can achieve some impressive statistics. It is interesting to see how they simulate such a number of participants with Selenium Grid.
  • https://fosdem.org/2023/schedule/event/jitsi_p10k/
• Scaling Open Source Realtime Messaging System for Millions, Floris van Geel
  • A talk about Rocket.Chat and what they did to scale up.
  • https://fosdem.org/2023/schedule/event/scaling_rtc_messaging/
• DDoS attack detection with open source FastNetMon Community, Pavel Odintsov
  • https://fosdem.org/2023/schedule/event/network_ddos_detection/

Other talks of relevance

• Secure voice/video over IP communications today and tomorrow thanks to post-quantum encryption!
  • Presentation at https://fosdem.org/2023/schedule/event/security_linphone/
• How regulating software for the European market could impact FOSS
  • Lightning talks and a panel about the Cyber Resilience Act. It is increasingly looking like an important topic!
  • https://fosdem.org/2023/schedule/event/cyber_resilience/
• Peer-to-peer Browser Connectivity
  • Leveraging WebRTC and the new WebTransport protocol to connect libp2p browser nodes.
  • https://fosdem.org/2023/schedule/event/network_p2p_browser_connectivity/

Reports of FreePBX ARI attacks in the wild

Last month a number of people in FreePBX community reported that their instances had been compromised. Based on similarities across their forum posts, it appeared that the attack abuses the Asterisk REST Interface (ARI).

Lorne Gaetz, the FreePBX project leader, posted a short note on the recent reports and listed commonalities between the reports:

• Asterisk http/https service port(s) exposed to untrusted traffic
• There was a spurious ARI app running in Asterisk

Quoting further from Lorne’s post:

To create an ARI app you need access to the Asterisk http/https service and you need ARI user credentials. The FreePBX ARI user is called freepbxuser and the password is generated at time of install. I don’t have complete data right now, but there is enough anecdotal evidence indicating that FreePBX ARI user password is not unique across all systems, so we are proceeding on the suspicion that one or more of the non-unique ARI passwords is now known publicly and used as part of the exploit.

So it appears that the affected installations used a guessable password for their ARI, and as the web ports are exposed, attackers discovered the instances and added an ARI app called hey.

To mitigate the attack, Lorne suggests the following:

• Immediately block access to the Asterisk http/https service ports
• Manually reset the FreePBX ARI account credentials

You can also run the following command to find out if you have been compromised:

stasis show topics

If this returns ari:application/hey then it means the server is compromised. As always, weak passwords are one of the most common root causes in security incidents; follow Lorne suggestions and, use strong and unique passwords.

References:

• https://community.freepbx.org/t/i-was-hacked-appdial2/87844/20
• https://community.freepbx.org/t/recent-reports-of-ari-exploit-on-freepbx-systems/88403
• https://community.freepbx.org/t/inactive-stasis-app-hey-missed-message/87624

Oracle WebRTC Session Controller RCE

Peter Mularien, security researcher at Nightcrawler Security, LLC, has reported a vulnerability in Oracle WebRTC Session Controller that allows executing remote commands due to deserialization of untrusted data. Based on the advisory this happens due to the lack of proper user-supplied validation. This vulnerability affects version 7.1.0 and 8.0.0, and, according to the Oracle Communications Risk Matrix, it is exploitable through UDP.

No further details are currently available so we reached out to the researcher to find out more. We’re told that the information should be made public later on in March/April.

Reference: https://www.zerodayinitiative.com/advisories/ZDI-23-175/

Chromium Use-After-Free in WebRTC (CVE-2023-0932)

A high severity use-after-free vulnerability has been discovered and fixed in WebRTC in Chrome/Chromium. The vulnerability has been reported by Omri Bushari, Senior Software Engineer at Talon Cyber Security. The vulnerability “allowed a remote attacker who convinced the user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page”.

The details are still under wrap so we look forward to learning about this when the report is made public.

References:

• https://chromereleases.googleblog.com/2023/02/stable-channel-desktop-update_22.html
• https://crbug.com/1413005

Null pointer dereference affects BIG-IP SIP profile

F5 has published an advisory for a vulnerability in Big-IP that allows unauthenticated attackers to cause DoS. In the advisory they had mentioned that the vulnerability class is null pointer dereference. This vulnerability occurs when a SIP profile is configured on a Message Routing type virtual server and crafted traffic (we guess it must be SIP) is sent to the server. The result is a denial of service, causing the TMM (Traffic Management Microkernel) to terminate.

The following version were affected:

• 16.1.x before 16.1.3.3
• 15.1.x before 15.1.8
• 14.1.x before 14.1.5.3
• 13.1.x (all versions) - will not fix

References:

• https://nvd.nist.gov/vuln/detail/CVE-2023-22340
• https://my.f5.com/manage/s/article/K34525368

FreeSWITCH 1.10.9 release includes security fixes

FreeSWITCH version 1.10.9 has been released with several security bug fixes including two memory leaks and a memory safety vulnerability which leads to a crash. No CVE was assigned to the vulnerabilities. The Sofia-SIP version also has been updated from 1.13.6 to 1.13.12, and four high and critical severity vulnerabilities were patched. The vulnerabilities are as below:

• CVE-2023-22741 - heap-over-flow in stun_parse_attribute (Critical)
• CVE-2022-31001 - sip_method_d Out-of-bound read (High)
• CVE-2022-31002 - url_canonize2 Out-of-bound read (High)
• CVE-2022-31003 - sdp_parse Heap-buffer-overflow (High)

References:

• https://github.com/signalwire/freeswitch/releases/tag/v1.10.9
• https://github.com/freeswitch/sofia-sip/security/advisories

This newsletter was prepared by Sandro Gauci and the Enable Security team for the RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please do share.

To subscribe: here