Our news
Next on our research agenda: Kamailio and OpenSIPS configuration security
Over the years, we have examined SIP environments protected by either Kamailio or OpenSIPS. Access to their configuration files has been especially valuable during our penetration tests. While both SIP servers are known for their robust and secure codebase, their highly flexible configuration can introduce significant security vulnerabilities. Some critical issues that we came across include SIP Open Relay, SQL injection, resource exhaustion, command injection and authentication bypass.
As we think about our security contributions for this year, we’re working on making our methodology more standard. In the process, we hope to release some helper tools so that people out there can easily check their Kamailio and OpenSIPS configuration files for security issues. We also hope to make some contributions to both SIP servers, through documentation updates and presentations at the upcoming Kamailio World and OpenSIPS Summit events later on this year.
If this topic is close to your heart, please get in touch by responding to the newsletter or contacting us. We’d love to get your feedback.
What’s happening?
Cisco BroadWorks fixes a SIP Denial of Service Vulnerability and a bit of background
Cisco BroadWorks, Cisco’s carrier-grade unified communication software platform, issued a security fix for a DoS affecting its SIP processing subsystem. Based on the advisory, the platform runs out of memory when trying to process high volumes of large incoming SIP messages.
The following excerpt from the advisory is interesting in terms of technical details:
To successfully exploit this vulnerability, an attacker would need to completely saturate the memory assigned to the Cisco BroadWorks Network Servers. Because administrators can allocate an arbitrary amount of memory to these servers, the time and number of SIP requests that are necessary to cause a DoS condition varies.
This resembles the security vulnerabilities we discover during our dedicated DoS penetration tests, where we evaluate different combinations of SIP and RTP flooding configurations and intensities. Memory issues were found in various other software, including FreeSWITCH and Asterisk.
If you’re administering a Cisco BroadWorks system, be sure to check out the official advisory for fixes and mitigation techniques.
Security improvements to the WebRTC codebase and the 0day from December 2023
Back in December 2023, Google’s Threat Analysis Group (TAG) reported an 0day in WebRTC that was being exploited in the wild which was subsequently tracked as CVE-2023-7024. The latest update is that last month, the associated security investigation and root cause analysis for the WebRtcAudioSink buffer overflow issue was unlocked and made available here.
Additionally, there is an ongoing effort (also here) within the WebRTC project to use ArrayView instead of raw pointers and lengths to pass data buffers. This is because using raw pointers and lengths is considered error-prone. The use of ArrayView was proposed as a solution to avoid vulnerabilities such as CVE-2023-7024 in the future.
Interestingly, however, this effort introduced two Negative-Size Parameter crashes within the webrtc::VideoRtpDepacketizerH264::Parse function, causing memory corruption. This was detected automatically thanks to Google’s Clusterfuzz and the code changes were reverted to avoid the issue.
Corresponding bug reports can be read here:
Many thanks to Philipp Hancke for pointing us in the right direction.
Samsung S24: Out of bounds write in APE Decoder
From the exploits club newsletter:
It’s not every day that new Android zero-click attack surfaces get dropped. But then again, @natashenka is not every other researcher. This week, an issue became unrestricted, and it demonstrates the dangers of that really useful feature that makes it so you don’t have to re-listen to your friends 3AM drunk audio message about girl and/or guy problems…thats right, RCS audio transcription. Turns out, this is on by default, and the audio is thrown directly to Monkey’s Audio (APE) decoder. This decoder had an overflow in a dmabuf write due to improper size checking and thus could be used to crash the target device’s C2 process. While it’s not clear if this particular bug is exploitable, it is clear that no one is (publicly) talking about this attack surface.
This is tracked as CVE-2024-49415. Check out the Project Zero bug report for this great work.
As Philipp Hancke sez:
fuzz all your codecs!
Security Updates and Vulnerability News Round-Up
In a short but sweet YouTube discussion, WebRTC experts Tsahi Levent-Levi and Philipp Hancke examine whether WebRTC creates security risks. Philipp highlights concerns regarding the WebRTC project’s use of C++, which can pose memory safety risks but seem under control. Compared to alternatives like browser plugins, WebRTC is considered relatively secure, with Google effectively managing vulnerabilities. Privacy concerns, particularly around IP address disclosure, are also a key topic. Additionally, they touch on application security issues within the WebRTC ecosystem, which are distinct from core WebRTC vulnerabilities. All of this is discussed in under two minutes.
Original content here.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities in Mitel MiCollab to its Known Exploited Vulnerabilities (KEV) Catalog. These include CVE-2024-41713, an Authentication Bypass vulnerability with a patch available, and CVE-2024-55550, an Arbitrary File Read vulnerability that currently lacks a patch but may lead to data leakage for authenticated admins. Addressing the authentication bypass vulnerability also mitigates risks from the path traversal issue. For additional context, see last month’s newsletter.
Original content here.
Nabto, a company specializing in secure P2P live streaming for video surveillance, has published a new blog post on WebRTC security architecture and how they enhance it within their IoT solutions. In addition to WebRTC’s standard security mechanisms like DTLS-SRTP and secure signaling, Nabto incorporates the Constrained Application Protocol (CoAP), a web transfer protocol designed for constrained environments commonly found in IoT networks. The post offers an overview of WebRTC security and provides a glimpse into the additional measures Nabto employs for security purposes in their solutions.
Original content here.
The Broadcast Live Video Streaming WordPress plugin, which includes support for WebRTC as a broadcasting method, was found to have a stored cross-site scripting vulnerability (CVE-2024-12504). While the issue appears to have been resolved, the WordPress plugin directory has temporarily suspended all plugin downloads pending further review. Not sure if this is a great idea for people trying to upgrade to fix the vulnerability.
Original content here.
Asterisk has resolved yet another a path traversal vulnerability within the Asterisk Management Interface (AMI). This vulnerability could be exploited even if the live_dangerously option is disabled. It is classified as moderate with a CVSS rating of 4.9.
Original content here.
The FCC officially launched the ‘Cyber Trust Mark’ on January 7, 2025, aimed at certifying the security compliance of IoT devices. This initiative aligns with global efforts, such as the EU’s recently enacted Cyber Resilience Act, to bolster the security of IoT infrastructure and software, given their critical role in daily life. The certification will apply to a broad range of devices, including VoIP devices and physical entry systems that often rely on protocols like SIP and WebRTC.
Original content here.
