Critical Vulnerability in WebRTC Media Servers Threatens Real-Time Communication

WebRTC Vulnerability

A critical denial-of-service (DoS) vulnerability has been identified in media servers handling WebRTC’s DTLS-SRTP. This flaw, stemming from a race condition between ICE and DTLS traffic, can disrupt media sessions, threatening the availability of real-time communication services. Alfred Farrugia of Enable Security discovered and tested this vulnerability, providing a robust analysis and mitigation strategies. The primary mitigation involves filtering packets based on ICE-validated IP and port combinations.

WebRTC Vulnerability

In the realm of VoIP and real-time communications (RTC), constant availability is crucial. Downtime, even for milliseconds, can result in a significant loss of value. Historically, vulnerabilities leading to toll fraud or illegal wiretapping received more attention than DoS vulnerabilities. However, as client feedback underscored the critical nature of availability, the focus on application-level DoS vulnerabilities intensified.

Application-level DoS attacks, unlike volumetric ones, require code changes for mitigation, making them both challenging and interesting for cybersecurity professionals. This newly discovered vulnerability in WebRTC media servers exemplifies the complex nature of such threats.

The discovered vulnerability arises from a race condition between ICE media consent verification and the initiation of DTLS traffic. An attacker can send a DTLS ClientHello message with an invalid cipher suite (e.g., TLS_NULL_WITH_NULL_NULL) before the legitimate user does. This causes the media server to terminate the DTLS session, blocking the establishment of SRTP keys and disrupting the media session.

To exploit this, the attacker must guess the UDP ports used by the media server for incoming media sessions. By sending crafted ClientHello messages to these ports, the attacker can prevent media streams from being established.

This vulnerability is not a flaw in the DTLS protocol itself but in its implementation within certain WebRTC media servers using ephemeral ports. While DTLS on a static port can handle multiple clients without disruption, ephemeral port usage for both DTLS and SRTP creates a vulnerability. This issue highlights the gap between ICE and DTLS in the WebRTC media establishment flow.

Testing this vulnerability safely involves:

  1. Initiating a WebRTC media session.
  2. Providing the attacker with the media server’s IP and port combination.
  3. Sending attack packets only to those specific ports.

For detection, network-level analysis can identify suspicious DTLS ClientHello messages with null ciphers or unusual UDP traffic patterns targeting multiple ports. Implementing security fixes, such as filtering packets based on ICE-validated IP and port combinations, can mitigate the vulnerability.

Effective mitigation includes:

  • Trusting the ICE process to filter packets.
  • Configuring DTLS servers to handle multiple states on a single port.
  • Implementing security fixes in vulnerable software, as seen in Janus, Asterisk, FreeSWITCH, and RTP Engine.