Welcome to the November edition of your favorite IP Communications Security Newsletter! In this edition, we cover:
- Asterisk fixing a PPE in their Github
- Cyber-criminals listening on telecommunications systems to learn how they were caught
- ARM’s MTE is going to protect your smartphones - Google Project Zero’s blog post about it
- Privacy and security of video conferencing on WebRTC LIVE
- And much more!
RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.
What is RTC security anyway? Real-time communications security is what determines if you can communicate in real time in a safe way - whether it be with other humans or machines.
You may sign up to receive the RTCSec newsletter here. Do:
- forward to that person who may find this newsletter particularly fruitful.
- let us know if we should include or cover any RTC security news.
To view past issues, please visit our website at https://www.enablesecurity.com/newsletter/.
Our news
VoIP and WebRTC security auditing for 2024?
Enable Security is one of the few cyber-security companies in the world that is dedicated to penetration testing and security audits of VoIP and Realtime Communications. Our unique level of experience, methodology and specialized tooling is why our customers trust us to help secure their VoIP and WebRTC applications.
If you intend to engage us in (late) Q1 or Q2 2024, submit the contact form or reply to this email and tell us what we can do for you!
Our updates
None at this time, as we finish off the last pentests for this year. Our next publications are scheduled for January 2024!
What’s happening?
Asterisk fixed a Poisoned Pipeline Execution in their Github repository
The Asterisk project published an advisory submitted by Naor Yaacov about poisoned pipeline execution (PPE). The vulnerability described does not affect the Asterisk PBX server itself but rather the Github Actions configuration. Before the fix, when Github users submitted a pull request, the tests done by the Github workflow CI would be run automatically. This gave (malicious) Github users the ability to execute custom commands in that particular workflow, which had access to a number of sensitive environment variables. The security researcher highlighted the following variables of interest:
GITHUB_TOKEN
- which had some dangerous permissionsACTIONS_RUNTIME_TOKEN
This vulnerability gets no CVE since it does not affect a product, but has a CVSS rating of 9.1, which makes it a critical vulnerability. A quick scroll through the commits reveals the following two commits that were done to address this issue:
The author of the advisory wrote the following in terms of impact:
An attacker who successfully executes a PPE attack can insert malicious code into the build process, which can result in the creation of a compromised version of the software. This can have a wide range of security impacts, including:
- Data theft: A compromised version of the software can be used to steal sensitive data from the organization or its customers.
- Malware distribution: A compromised version of the software can be used to distribute malware to the organization or its customers.
- System compromise: A compromised version of the software can be used to gain unauthorized access to the organization’s systems.
- Reputation damage: A successful PPE attack can damage the reputation of the organization, resulting in a loss of trust from its customers and partners.
Nice work to all involved - thanks for making the Asterisk PBX more secure!
Scattered Spider and teleconferencing systems
The US Cybersecurity and Infrastructure Security Agency (CISA) published an advisory about a cybercriminal group called Scattered Spider that has been targeting large companies and IT help desks. What caught our eye is the following:
To determine if their activities have been uncovered and maintain persistence, Scattered Spider threat actors often search the victim’s Slack, Microsoft Teams, and Microsoft Exchange online for emails [T1114] or conversations regarding the threat actor’s intrusion and any security response. The threat actors frequently join incident remediation and response calls and teleconferences, likely to identify how security teams are hunting them and proactively develop new avenues of intrusion in response to victim defenses. This is sometimes achieved by creating new identities in the environment [T1136] and is often upheld with fake social media profiles [T1585.001] to backstop newly created identities.
Additionally:
Scattered Spider threat actors use voice communications to convince IT help desk personnel to reset passwords and/or MFA tokens.
The fact that they abuse voice communications and social engineering techniques is certainly not new but it is somewhat interesting that they make an effort to join teleconference calls. It is a reminder that when an organisation is compromised at this level, adversaries get access to everything - including realtime communications.
Memory Tagging Extensions available in Pixel 8 handsets
Mark Brand from the Google Project Zero wrote an informative blog post about the new Pixels having the ability to use ARM’s Memory Tagging Extensions (MTE) to detect memory corruption exploitation. This is a brand new feature that would need to be enabled on test handsets and still is not supported on normal devices.
This feature greatly benefits the overall security of the Android devices. The author emphasizes this point, especially for WebRTC code and media or image file parsing libraries. These libraries are written in unsafe C/C++ and have in the past had various exploitable vulnerabilities.
WebRTC LIVE episode about privacy and security of video conferencing
WebRTC LIVE is a great podcast that had previously featured our work with regards to the WebRTC attack surface. This month, they had an interesting episode about your favorite topics with Robert Strobl, CEO and Founder of Digital Samba as guest. The host, Arin Sime, together with Robert covered the following topics:
- Data privacy in video applications, including GDPR and many other regulations that might affect WebRTC especially for sensitive applications like online psychotherapy
- The challenges of using encryption vis-a-vis logging and debugging issues at signalling or media level
- The security risks of WebRTC and scaling with SFUs (selective forwarding unit) which acts as a man-in-the-middle; and insertable streams for end-to-end encryption (E2EE) and other solutions
- The downsides of doing E2EE - which is where security becomes hard and in our opinion, interesting
- AI integration - which is a huge topic in terms of privacy
- Various other subjects that might be interesting.
Give it a watch if this is your thing!
Tenable Nessus added checks for old vulnerabilities affecting Rockwell / Cisco SIP implementations
Tenable’s industrial security solution, Tenable OT Security has added a number of vulnerability checks for “Rockwell Automation Stratix”. Some of these checks are for vulnerabilities that affected the SIP components of the Rockwell Automation Stratix / Cisco IOS Software and Cisco IOS XE Software and were fixed back in 2014:
- Rockwell Automation Stratix 5900 (CVE-2014-2106)
- Rockwell Automation Stratix Cisco IOS and IOS XE and Cisco Unified Communications Manager Software Session Initiation Protocol Memory Leak (CVE-2016-1350)
- Rockwell Automation Stratix 5900 (CVE-2014-3360)
Short news and commentary
- Patton SmartNode SN200 3.21.2-23021 OS Command Injection (CVE-2023-41109)
- The SmartNode SN200, which is an Analog Telephone Adapter (ATA), was found vulnerable to OS command injection vulnerability through the device’s web interface. No authentication is required because the web interface is also vulnerable to authentication bypass. Upon publication of the advisory, no patch was available. Did this change yet?
- Cisco IP Phone Stored Cross-Site Scripting Vulnerability (CVE-2023-20265)
- Mailing list thread on how to stop SQL injection attacks on OpenSIPS
- There is a new thread on the OpenSIPS mailing list asking how to stop SQL injection attacks. No one has responded yet but we’re curious about what people come up with!
- Kamailio mailing list thread: Crash on core/mem/q_malloc.c
- Igor Potjevlesch posted asking about a crash that they’re seeing that appears to be (according to the core developer) an off-by-one. The original poster then confirmed that they were able to reproduce the issue and it concerns a particular in-dialog INVITE - and that they’re looking into it.
This newsletter was prepared by Sandro Gauci and the Enable Security team for the RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please do share.
To subscribe: here