This white paper, titled "DTLS 'ClientHello' Race Conditions in WebRTC Implementations," details a security vulnerability affecting multiple WebRTC implementations. The research uncovers a security flaw where certain implementations fail to properly verify the origin of DTLS "ClientHello" messages in WebRTC sessions, potentially leading to denial of service attacks. The paper includes methodology, affected systems, and recommendations for mitigation.
eb9b90060957ab9a31665bc8c84c603533eeccd79e0c24bfa578d26e43901509When handling DTLS-SRTP for media setup, FreeSWITCH version 1.10.10 is susceptible to denial of service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack.
42111d854609afb4221ff75af6db4e27c366baa1bf5886242bf637a8ab822f76RTPEngine version mr11.5.1.6 suffers from a denial of service vulnerability via DTLS Hello packets during call initiation.
7938f478eab1d8bc840896b24b1e1e899b45b53e89a3e7429e87eaebcefdc333When handling DTLS-SRTP for media setup, Asterisk version 20.1.0 is susceptible to denial of service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack.
64a70704bf3c592f3c715409a2cca70dea12a637204ffa690f04e1d61f8e5387FreeSWITCH versions 1.10.6 and below suffer from a denial of service vulnerability when handling invalid SRTP packets.
aaad28bb04ce46ebd565a967723a0e8afcd6f7dba90aee94656275d90698725dFreeSWITCH versions 1.10.5 and below fail to authenticate SIP SUBSCRIBE requests by default.
ded0b19e81a7730e97640eb6c3d7fda36f567e10ebdd5b999d5b1929484ee8a4FreeSWITCH versions 1.10.6 and below fails to authenticate SIP MESSAGE requests, leading to spam and message spoofing vulnerabilities.
68dea0d9742f3791b1526264955cdcec061eabf320255b7421f45362fb114013FreeSWITCH versions 1.10.6 and below suffer from a SIP flooding denial of service vulnerability.
7c18e335775c034ea43225652189228c8adc2e373dc48c484ae01d61e8dc74a9FreeSWITCH versions 1.10.6 and below suffer from a SIP digest leak vulnerability. An attacker can perform a SIP digest leak attack against FreeSWITCH and receive the challenge response of a gateway configured on the FreeSWITCH server. This is done by challenging FreeSWITCH's SIP requests with the realm set to that of the gateway, thus forcing FreeSWITCH to respond with the challenge response which is based on the password of that targeted gateway.
f3e80023a973da7d0680ad72ce2905cfe9105bbb49758f1e37e5b0f8f8570020A buffer overflow was identified in the VoIPmonitor live sniffer feature. The description variable in the function save_packet_sql is defined as a fixed length array of 1024 characters. The description is set to the value of a SIP request or response line. By setting a long request or response line VoIPmonitor will trigger a buffer overflow.
145c87a11821afdce38f061bdde93705011a5071747335b1d316604f3d48c582Static binaries provided for VoIPmonitor version2 7.5 are built without any memory corruption protection in place.
53af2b715bcd85faf66b4d8deafd9d7676f2c8e34de79dd80c738b81bc0fb6daVoIPmonitor WEB GUI versions 24.53, 24.54, and 24.55 suffer from multiple cross site scripting vulnerabilities.
3a7579f2a72cb2ec95aaa068756e5ed9c00e5774a0e0b1f2a2a7abaee0f242bbCoturn version 4.5.1.x suffers from a loopback access control bypass vulnerability.
229c4e41914e88114f7a7cb31815c02ae2d943c82d215356fe5d583cf79c579dAsterisk versions 17.5.1 and 17.6.0 were found vulnerability to a denial of service condition where Asterisk segfaults when receiving an INVITE flood over TCP.
16f54da5d3c7145bd5aa998e183688a666211433fed046580666ec3e14e0913eAsterisk Project Security Advisory - Upon receiving a new SIP Invite, Asterisk did not return the created dialog locked or referenced. This caused a gap between the creation of the dialog object, and its next use by the thread that created it. Depending upon some off nominal circumstances, and timing it was possible for another thread to free said dialog in this gap. Asterisk could then crash when the dialog object, or any of its dependent objects were de-referenced, or accessed next by the initial creation thread.
0ffdabc3873921af089a27d73efac1246b61b827d0d4706a0053ec41b4494fd6Kamailio version 5.4.0 is vulnerable to header smuggling via a bypass of remove_hf.
90b01227ec53c669668b75248613fb8d1d22b84fea63434c5f55b4a27dee1fe7Kamailio versions 5.1.1, 5.1.0, and 5.0.0 suffer from an off-by-one heap overflow vulnerability.
b66a979516888fcd02663798f792032a195e6a13fb1ac62c080ec038c284f8d0Asterisk running chan_pjsip suffers from an INVITE message denial of service vulnerability. Versions affected include Versions affected include 15.2.0, 15.1.0, 15.0.0, 13.19.0, 13.11.2, and 14.7.5.
f1253625e46f227de8752682b32d8862adf05b987de5b3ce80dd452d37d33ce3Asterisk running chan_pjsip suffers from an SDP message related denial of service vulnerability. Versions affected include 13.10.0, 15.1.3, 15.1.4, 15.1.5, and 15.2.0.
dcd272d0bdc191e8821a8ff0875bcb1f860b59d55a4d240aea12f18340ff7f74Asterisk version 15.2.0 running chan_pjsip suffers from an SDP message related denial of service vulnerability.
bb991ba13071f908ba4e3a364bc5fd50ffb86a758000294812e5c584d0d94d00Asterisk running chan_pjsip suffers from a SUBSCRIBE message stack corruption vulnerability. Vulnerable versions include 15.2.0, 13.19.0, 14.7.5, and 13.11.2.
7ce6eb5d2b74840cec684d30e389db8a84881dd35088091f86c3e601f3984460Asterisk Project Security Advisory - A crash occurs when a number of authenticated INVITE messages are sent over TCP or TLS and then the connection is suddenly closed. This issue leads to a segmentation fault.
a4a7459638ce3f3a2f66643377d5f17ef2db0d79f31570e23b023b87b15030c9Asterisk Project Security Advisory - When processing a SUBSCRIBE request the res_pjsip_pubsub module stores the accepted formats present in the Accept headers of the request. This code did not limit the number of headers it processed despite having a fixed limit of 32. If more than 32 Accept headers were present the code would write outside of its memory and cause a crash.
2ca83ced6bedaa74703ffe260735d9b6a5f8e6d560c01ef31601708735e0b831Asterisk Project Security Advisory - By crafting an SDP message body with an invalid fmtp attribute Asterisk crashes when using the pjsip channel driver because pjproject's fmtp retrieval function fails to check if fmtp value is empty (set empty if previously parsed as invalid). The severity of this vulnerability is lessened since an endpoint must be authenticated prior to reaching the crash point, or it's configured with no authentication.
9b8ed54f40c2eeeb8b0438fcc1f181112a56783842de914688edfeee94da5652Asterisk Project Security Advisory - By crafting an SDP message with an invalid media format description Asterisk crashes when using the pjsip channel driver because pjproject's sdp parsing algorithm fails to catch the invalid media format description. The severity of this vulnerability is lessened since an endpoint must be authenticated prior to reaching the crash point, or it's configured with no authentication.
891c0434dd5c6146ed9c01205891569b4cbbd6cb0ddddb9c96165c020a8fe6ab
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed