Welcome to the April edition of the VoIP and WebRTC security monthly newsletter.
In this edition, we cover:
- Kamailio World 2024 review
- Our short and longer presentation on insecure Kamailio configuration patterns
- Changes to the newsletter
- Updates to T-Pot honeypot, sngrep security fixes, Mitel IP Phone vulnerabilities
- New security course on WebRTC by BlogGeek.me
- And some more!
RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.
What is RTC security anyway? Real-time communications security is what determines if you can safely communicate in real time - whether it be with other humans or machines.
You may sign up to receive the RTCSec newsletter here. If you like what we’re doing, you’re most welcome to:
- forward to those that may find this newsletter particularly fruitful.
- let us know if we should include or cover any RTC security news.
To view past issues, please visit our website at https://www.enablesecurity.com/newsletter/.
Our news
Enable Security at Kamailio World and a very short presentation
This month I had the pleasure of visiting Kamailio World in Berlin and attend various presentations, some of which we cover below in this newsletter. The second day included a session called 5 Minutes 5 Slides, which encourages participants to present about what they do, and also talk about how they use Kamailio.
I took the opportunity to introduce this very newsletter, briefly tell the audience about our penetration tests on VoIP and WebRTC environments. In the main part of this short presentation I showed two examples of Kamailio configurations that we reviewed during our work that were vulnerable to specific security issues. One of them showed misuse of the dns_query
function that could lead to DoS, while the other showed misuse of the avp_db_query
function that could lead to SQL injection.
My 5 minute slot can be watched on Youtube and the slides also available.
Migrating the newsletter and content to EnableSecurity.com
We have an update regarding this newsletter: over the next few weeks and months, we will be transitioning all content, including this very newsletter, from rtcsec.com to enablesecurity.com. As you may know, Enable Security has always been the driving force behind RTCSec, a fact we’ve proudly shared. However, managing multiple websites has proven to be inefficient for a variety of reasons. By consolidating our resources under one roof, we aim to make our efforts to bring cybersecurity to VoIP and WebRTC domains more effective. If you notice any glitches, please do not hesitate to let us know!
Security Pitfalls in Kamailio Configuration Patterns
During the 5 minutes 5 slides session at Kamailio World this year, I briefly alluded to having a more complete presentation with further examples of significant security findings from our past security audits of Kamailio environments. The work-in-progress document currently includes the following:
- Open relay via R-URI may lead to SIP amplification DoS abuse and more (CVSS: 9.3)
- Open relay via Route header may lead to SIP amplification DoS abuse and more (CVSS: 9.3)
- Use of the function
avp_db_query
in Kamailio configuration leads to SQL injection (CVSS: 9.8) - The function
dns_query
in Kamailio configuration might lead to DoS (CVSS: 7.5) - Kamailio configured to relay all calls to carrier without any authentication (CVSS: 7.5)
- Remote Code Execution via unauthenticated specially crafted NOTIFY message (CVSS: 10.0)
- SIP MESSAGE does not require authentication, leading to spam (CVSS: 5.3)
- Denial of Service via in-dialog INVITE messages (CVSS: 7.5)
If you are interested in discussing these vulnerabilities further, I would be happy to share this document. All I ask in return is honest feedback to help us improve our material!
Simply reply to this newsletter or use the Enable Security communication channels, introduce yourself and say hello.
What’s happening?
Major update in T-Pot release 24.04.0
T-Pot is a honeypot platform from Deutsche Telekom Security that includes a number of VoIP deception components. They have a new major release v24.04. In terms of VoIP, we see the following honeypots being included that support SIP:
- SentryPeer
- qHoneypots (includes QSIPServer which uses Twisted.sip)
The data collected from T-Pot installations is (by default) fed into Sicherheitstacho which is quite fun to watch, although somehow I see none of the VoIP related traffic; which should be showing up since port 5060 receives a lot of scans.
Mitel IP Phone vulnerabilities walk through and security fixes
Danish company Baldur released a blog post about vulnerabilities that they found in Mitel IP phones. They identified various vulnerabilities which they chained to get their favorite music playing on the phone and take full control of the devices.
This blog post is a valuable resource for security researchers and developers interested in the intricacies of compromising hardware SIP phones. Following this research, Mitel issued several security fixes, which are documented on the Mitel Security Advisories page. The issues are tracked under the following identifiers:
- CVE-2024-31963 (Mitel Advisory ID 24-0006)
- CVE-2024-31964 (Mitel Advisory ID 24-0007)
- CVE-2024-31965 (Mitel Advisory ID 24-0008)
- CVE-2024-31966 (Mitel Advisory ID 24-0009)
- CVE-2024-31967 (Mitel Advisory ID 24-0010)
Update on the WebRTC vulnerability (CVE-2024-1580) that affected Apple software
Last month we wrote about a security fix affecting Safari’s WebRTC and CoreMedia, which was due to a vulnerability in the library dav1d. Philipp Hancke clarified to us that Chromium also uses dav1d but that the vulnerability does not affect it because “the dav1d fix is related to “tiles” and tiles should not make it through depacketization”.
sngrep fixes buffer overflows in SIP header processing
The tool sngrep, useful for debugging SIP traffic via command line, has issued a new version 1.8.1 that fixes some buffer overflow issues. The pull request has the details:
This pull request addresses critical vulnerabilities in sngrep’s SIP header processing, specifically related to stack buffer overflows in “Call-ID”, “X-Call-ID”, “content-length”, and “warning” headers. The fixes introduce bounds checking and ensure string null-termination, mitigating the risk of arbitrary code execution or DoS from malicious SIP messages.
These issues are tracked under CVE-2024-3119 and CVE-2024-3120 and the vulnerability and fix was submitted by Huascar Tejeda from Pentraze Cybersecurity.
WebRTC security and privacy essentials course and ebook from BlogGeek.me
Tsahi Levent-Levi and Philipp Hancke are making a new ebook and training available that focuses on our favourite topic! A cursory look at the contents of the ebook shows the following interesting topics:
- Browser security and privacy mechanisms
- Signaling security
- Media security, covering also TURN servers and fuzzing of media server traffic
- Security of clients, including web applications and mobile or native applications, Electron
- Focus on user interface and user experience security
- End to end encryption, and encryption in general as it relates to WebRTC
We’re happy to link to this course which is available at WebRTC Security & Privacy Essentials. BlogGeek.me have provided the audience of this newsletter a top secret 20% discount code RTCSEC.
A review of Kamailio World’s RTC security content
The Kamailio conference this year was outstanding not only because of the high quality content shared by the presenters but also due to the interesting conversations and insights from the audience on the topics of VoIP and WebRTC security.
With that in mind, the following were my favorite talks that had a certain relevance to the topic of this newsletter:
- Kamailio – Last Year In Review: Daniel-Constantin Mierla, Kamailio Co-Founder spoke about the new features and the following caught our attention:
- new alternative TLS module implementation called
tls_wofltls
. - new module called
gcrypt
that exposes cryptographic functions using libgcrypt. - multi-threading model of openssl 3 is now supported, which should solve some mysterious random crashes some of which we had previously covered very briefly.
- enhanced capabilities for TCP connections and traffic management to detect stale connections and connections that are kept waiting for data; this is something that we have previously reported to our clients/customers but found it hard to resolve at Kamailio-level; very happy to see this being addressed although we would like to still test these solutions.
- SIP overload control support based on RFC7339; this is meant to address SIP flooding so it is very interesting for us to explore this solution.
- new alternative TLS module implementation called
- STIR/SHAKEN: Battle Against Caller ID Spoofing: voice engineers from Twilio spoke about this standard which seems to be coming to Europe too.
- Securing SIP Communication Using Kamailio With TLS – The Advent Of OpenSSL 3.x: Shih-Ping (Richard) Chan, Software Integrator from Singapore spoke about fixing OpenSSL 3. Some points he made:
- Talked about the Kamailio-folklore that TLS is unstable especially when used with other libraries; which is in part due to a shared memory corruption that has been present but previously hard to reproduce
- OpenSSL v3 made the shared memory corruption much more reproducible
- Using the new
tls_threads_mode
is the solution
- Kamailio + eBPF – Chapter 2: Blood and Honey: Alexandr Dubovikov, Homer SIP Capture founder, presented a new tool called rtcagent that makes use of eBPF to feed HOMER/HEPIC with data including SIP packets. This tool supports more than just Kamailio, including FreeSWITCH, Asterisk and OpenSIPS; with the advantages of requiring no loading of modules, no code or configuration changes to whatever is being monitored, and no need for tricks to intercept TLS.
There were a number of other presentations that were interesting of course - such as Markus Töpfer’s from the German Space Operations Center; about how they’re using WebRTC for space mission control. All in all, it was a pleasure to visit and I hope to present something new at next year’s edition of the conference.
SMS and VoIP logs from Cisco Duo compromised
Independent investigative journalist, Brian Krebs, posted about an email that he received from Cisco Duo about the compromise of SMS and VoIP logs related to multifactor authentication. Various cyber-security media outlets, including Bleeping Computer and Help Net Security covered this incident briefly.
Short news and commentary
- Anonymization Aspects of a Low-latency VoIP Security Analytics System - upcoming talk at PEPR'24 by Jiri Kuthan, Intuitive Labs
- PEPR stands for Privacy Engineering Practice and Respect and is an event hosted by USENIX. In this talk, Jiri will be presenting on the challenges of doing security analytics on call detail records (CDRs) by making use of E2EE at large volumes and keeping up with low latency. Interesting challenge indeed!
- Zero-day vulnerabilities in Grandstream by Pentraze
- No details about the types of vulnerabilities but while inspecting the sngrep reports, we noticed that the same vulnerability researchers also listed Grandstream on their list of 0day vulnerabilities.
- Repository of Wireshark Profiles for analyzing various protocols including those VoIP related such as MGCP, RTP, RTCP and SDP
- Wireshark profiles enable customization of the GUI, including preferences, color rules, and filters, to optimize for specific protocols, views, or tasks. This is a feature surprisingly new to me, despite over 20 years of Wireshark experience.
- Google Meet opens client-side encrypted calls to non Google users
- Apart from encrypting data at rest and in transit, Google meet actually gives users direct control of their encryption keys and the identity service that they choose to authenticate for those keys. Now they added support for external participants too.
- Protecting WebRTC and SIP with APIBAN - upcoming talk by Fred Posner at CommCon 2024
- Cloudflare Calls: millions of cascading trees all the way down
- Cloudflare wrote about their new Cloudflare Calls feature which offers WebRTC SFU and TURN service at scale that is stateful, globally distributed and decentralized. This is now available as an open beta.
This newsletter was prepared by Sandro Gauci and the Enable Security team for the RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please do share.
To subscribe: here