FreeSWITCH 1.10.10 DoS CVE-2023-51443 Exploit

FreeSWITCH 1.10.10 DoS CVE-2023-51443 Exploit

vtxt by Prapattimynk

When handling DTLS-SRTP for media setup, FreeSWITCH is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously,

Android Android 5.0Exploits And POCs
( 666 ratings )
Price: $0
File DoS CVE-2023-51443 Exploit
Publisher Prapattimynk
Genre Exploits And POCs
Size -
File Type txt
Os All
Mod Version txt
Report Report
DoS CVE-2023-51443 Exploit is the most famous version in the DoS CVE-2023-51443 Exploit series of publisher
Download

When handling DTLS-SRTP for media setup, FreeSWITCH is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack.

Our research has shown that key establishment for Secure Real-time Transport Protocol (SRTP) using Datagram Transport Layer Security Extension (DTLS)[^1] is susceptible to a Denial of Service attack due to a race condition. If an attacker manages to send a ClientHello DTLS message with an invalid CipherSuite (such as `TLS_NULL_WITH_NULL_NULL`) to the port on the FreeSWITCH server that is expecting packets from the caller, a DTLS error is generated. This results in the media session being torn down, which is followed by teardown at signaling (SIP) level too. This behavior was tested against FreeSWITCH version 1.10.10, which was found to be vulnerable to this issue. The following sequence diagram shows the normal flow (i.e. no attack) involving SIP and DTLS messages between a UAC (the Caller) and an FreeSWITCH server capable of handling WebRTC calls. Diagram showing a call setup against FreeSWITCH that uses SIP and DTLS: https://user-images.githubusercontent.com/4557407/271063734-85425e09-6945-49b1-ba73-751b6d592ea4.png In a controlled experiment, it was observed that when the Attacker sent a DTLS ClientHello to FreeSWITCH’s media port from a different IP and port, FreeSWITCH responded by sending a DTLS Alert to the Caller. Additionally, FreeSWITCH terminated the SIP call by sending a BYE message to the Caller. Diagram showing a call setup against FreeSWITCH that fails due to an attacker controlled DTLS ClientHello: https://user-images.githubusercontent.com/4557407/271064011-032f9a0e-15af-4645-b008-1fe8b706d75e.png During a real attack, the attacker would spray a vulnerable FreeSWITCH server with DTLS ClientHello messages. The attacker would typically target the range of UDP ports allocated for RTP. When the ClientHello message from the Attacker wins the race against an expected ClientHello from the Caller, the call terminates, resulting in Denial of Service.



Recommended for You

You may also like

Comments

Your email address will not be published. Required fields are marked *

Next Post X
Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.