Welcome to the first one of the year 2025!
In this edition, we cover:
- SIP Server Security: configuration vulnerabilities in Kamailio and OpenSIPS
- Cisco BroadWorks DoS Vulnerability
- WebRTC project security efforts to avoid future 0days
- Vulnerabilities fixed in Asterisk, a Wordpress plugin, Samsung Galaxy S24
The RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.
What is RTC security anyway? Real-time communications security determines if you can safely communicate in real time - whether it be with other humans or machines.
You may sign up to receive the RTCSec newsletter here. If you like what we’re doing, you’re most welcome to:
- Forward it to those who may find this newsletter particularly fruitful.
- Let us know if there are any RTC security news items we should cover.
To view past issues, please visit our website at https://www.enablesecurity.com/newsletter/.
Our news
Next on our research agenda: Kamailio and OpenSIPS configuration security
Over the years, we have examined SIP environments protected by either Kamailio or OpenSIPS. Access to their configuration files has been especially valuable during our penetration tests. While both SIP servers are known for their robust and secure codebase, their highly flexible configuration can introduce significant security vulnerabilities. Some critical issues that we came across include SIP Open Relay, SQL injection, resource exhaustion, command injection and authentication bypass.
As we think about our security contributions for this year, we’re working on making our methodology more standard. In the process, we hope to release some helper tools so that people out there can easily check their Kamailio and OpenSIPS configuration files for security issues. We also hope to make some contributions to both SIP servers, through documentation updates and presentations at the upcoming Kamailio World and OpenSIPS Summit events later on this year.
If this topic is close to your heart, please get in touch by responding to the newsletter or contacting us. We’d love to get your feedback.
What’s happening?
Cisco BroadWorks fixes a SIP Denial of Service Vulnerability and a bit of background
Cisco BroadWorks, Cisco’s carrier-grade unified communication software platform, issued a security fix for a DoS affecting its SIP processing subsystem. Based on the advisory, the platform runs out of memory when trying to process high volumes of large incoming SIP messages.
The following excerpt from the advisory is interesting in terms of technical details:
To successfully exploit this vulnerability, an attacker would need to completely saturate the memory assigned to the Cisco BroadWorks Network Servers. Because administrators can allocate an arbitrary amount of memory to these servers, the time and number of SIP requests that are necessary to cause a DoS condition varies.
This resembles the security vulnerabilities we discover during our dedicated DoS penetration tests, where we evaluate different combinations of SIP and RTP flooding configurations and intensities. Memory issues were found in various other software, including FreeSWITCH and Asterisk.
If you’re administering a Cisco BroadWorks system, be sure to check out the official advisory for fixes and mitigation techniques.
Security improvements to the WebRTC codebase and the 0day from December 2023
Back in December 2023, Google’s Threat Analysis Group (TAG) reported an 0day in WebRTC that was being exploited in the wild which was subsequently tracked as CVE-2023-7024. The latest update is that last month, the associated security investigation and root cause analysis for the WebRtcAudioSink buffer overflow issue was unlocked and made available here.
Additionally, there is an ongoing effort (also here) within the WebRTC project to use ArrayView instead of raw pointers and lengths to pass data buffers. This is because using raw pointers and lengths is considered error-prone. The use of ArrayView was proposed as a solution to avoid vulnerabilities such as CVE-2023-7024 in the future.
Interestingly, however, this effort introduced two Negative-Size Parameter crashes within the webrtc::VideoRtpDepacketizerH264::Parse function, causing memory corruption. This was detected automatically thanks to Google’s Clusterfuzz and the code changes were reverted to avoid the issue. Corresponding bug reports can be read here:
- h264_depacketizer_fuzzer: Negative-size-param in webrtc::VideoRtpDepacketizerH264::Parse
- rtp_video_frame_assembler_fuzzer: Negative-size-param in webrtc::VideoRtpDepacketizerH264::Parse
Many thanks to Philipp Hancke for pointing us in the right direction.
Samsung S24: Out of bounds write in APE Decoder
From the exploits club newsletter:
It’s not every day that new Android zero-click attack surfaces get dropped. But then again, @natashenka is not every other researcher. This week, an issue became unrestricted, and it demonstrates the dangers of that really useful feature that makes it so you don’t have to re-listen to your friends 3AM drunk audio message about girl and/or guy problems…thats right, RCS audio transcription. Turns out, this is on by default, and the audio is thrown directly to Monkey’s Audio (APE) decoder. This decoder had an overflow in a dmabuf write due to improper size checking and thus could be used to crash the target device’s C2 process. While it’s not clear if this particular bug is exploitable, it is clear that no one is (publicly) talking about this attack surface.
This is tracked as CVE-2024-49415. Check out the Project Zero bug report for this great work.
As Philipp Hancke sez:
fuzz all your codecs!
Security Updates and Vulnerability News Round-Up
Is WebRTC a security risk?
In a short but sweet YouTube discussion, WebRTC experts Tsahi Levent-Levi and Philipp Hancke examine whether WebRTC creates security risks. Philipp highlights concerns regarding the WebRTC project’s use of C++, which can pose memory safety risks but seem under control. Compared to alternatives like browser plugins, WebRTC is considered relatively secure, with Google effectively managing vulnerabilities. Privacy concerns, particularly around IP address disclosure, are also a key topic. Additionally, they touch on application security issues within the WebRTC ecosystem, which are distinct from core WebRTC vulnerabilities. All of this is discussed in under two minutes.
Mitel 0-day and fixed vulnerabilities actively exploited
The US Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities in Mitel MiCollab to its Known Exploited Vulnerabilities (KEV) Catalog. These include CVE-2024-41713, an Authentication Bypass vulnerability with a patch available, and CVE-2024-55550, an Arbitrary File Read vulnerability that currently lacks a patch but may lead to data leakage for authenticated admins. Addressing the authentication bypass vulnerability also mitigates risks from the path traversal issue. For additional context, see last month’s newsletter.
Understanding WebRTC Security Architecture
Nabto, a company specializing in secure P2P live streaming for video surveillance, has published a new blog post on WebRTC security architecture and how they enhance it within their IoT solutions. In addition to WebRTC’s standard security mechanisms like DTLS-SRTP and secure signaling, Nabto incorporates the Constrained Application Protocol (CoAP), a web transfer protocol designed for constrained environments commonly found in IoT networks. The post offers an overview of WebRTC security and provides a glimpse into the additional measures Nabto employs for security purposes in their solutions.
Security Vulnerability in Broadcast Live Video Streaming Wordpress Plugin - CVE-2024-12504
The Broadcast Live Video Streaming WordPress plugin, which includes support for WebRTC as a broadcasting method, was found to have a stored cross-site scripting vulnerability (CVE-2024-12504). While the issue appears to have been resolved, the WordPress plugin directory has temporarily suspended all plugin downloads pending further review. Not sure if this is a great idea for people trying to upgrade to fix the vulnerability.
Asterisk security fix: Path traversal via AMI ListCategories allows access to outside files
Asterisk has resolved yet another a path traversal vulnerability within the Asterisk Management Interface (AMI). This vulnerability could be exploited even if the live_dangerously option is disabled. It is classified as moderate with a CVSS rating of 4.9.
FCC Launches ‘Cyber Trust Mark’ for IoT Devices to Certify Security Compliance
The FCC officially launched the ‘Cyber Trust Mark’ on January 7, 2025, aimed at certifying the security compliance of IoT devices. This initiative aligns with global efforts, such as the EU’s recently enacted Cyber Resilience Act, to bolster the security of IoT infrastructure and software, given their critical role in daily life. The certification will apply to a broad range of devices, including VoIP devices and physical entry systems that often rely on protocols like SIP and WebRTC.
This newsletter was prepared by Sandro Gauci and the Enable Security team for RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please share.
To subscribe: here