Vulnerabilities in WebRTC Implementations Allow Attackers to Trigger DoS Attacks

18.10.2024

WebRTC (Web Real-Time Communication) is an open-source project that enables real-time audio, video, and data sharing directly between web browsers and mobile applications without requiring plugins. Its integration into HTML5 and support across major browsers make it a versatile tool for various applications. Recently, EnableSecurity discovered that vulnerabilities in WebRTC implementations allow threat actors to trigger DoS attacks.

WebRTC uses standardized protocols like DTLS and SRTP for encryption over UDP to ensure low latency. The connection process involves signaling, where peers exchange offers and answers with ICE candidates, usernames, and passwords. ICE then verifies connectivity and peer identity using STUN messages, followed by a DTLS handshake that establishes the secure connection through certificate fingerprints verified during signaling. This process guarantees end-to-end encryption and authentication for real-time audio, video, and data sharing.

Although designed for peer-to-peer communication, WebRTC often employs intermediary servers for improved performance and NAT traversal. However, the technology is vulnerable to specific DoS attacks, particularly during the transition between media consent verification and the DTLS handshake. Malicious DTLS ClientHello messages can disrupt connections during this phase.

This vulnerability arises because WebRTC treats ICE only as an initial consent mechanism rather than a comprehensive transport mechanism. Malicious actors can exploit this gap by injecting fraudulent DTLS ClientHello messages before the legitimate peer can establish a connection, leading to denial of service in real-time communication services. This issue is especially prevalent in systems using UDP, which lacks inherent packet source verification.

Vulnerable implementations include popular open-source projects like Asterisk, RTPEngine, and FreeSWITCH, as well as some proprietary solutions. Mitigation strategies involve implementing stricter checks on the source of DTLS ClientHello packets to ensure they match the verified ICE candidate pair. The study recommends updating RFC 8826 and RFC 8827 to include explicit guidelines for processing DTLS ClientHello messages in relation to ICE-verified media streams. This vulnerability highlights the need for a more comprehensive understanding of media in WebRTC contexts, extending beyond just RTP to include DTLS and SCTP in ICE verification processes.