[jitsi-users] Security Vulnerability: Jitsi as SIP-over-TLS client


#1

The issue happens since
<http://github.com/jitsi/jitsi/commit/cd62892c2706370b23d334ee28e07b2090269090>. It is not caused by <http://github.com/jitsi/jain-sip/tree/jitsi-oss-only/> itself, but how its API is used. I have a working patch.

Normally, I would proceed directly with a Pull Request on GitHub. However, there I am not able to mark it private and the current Jitsi FAQ states, I have to report on the users (!) mailing-list first.

The issue is rather obvious for an attacker. Therefore, I do not see much benefit by not disclosing it. However, I do not know the current policy by the Jitsi team on security issues. Furthermore, although my patch works and is backward compatible with older Java versions, I tested it in one scenario only. There could be more scenarios, I am not aware of, yet. Therefore, the patch might not be fully ready.

Another question: The issue unveiled because the JAIN-SIP library was changed. I want to investigate the root cause of that issue (to present it in my security class as learning object): Which source/project was used for as JAIN-SIP library before April 2016?


#2

The issue happens since
<http://github.com/jitsi/jitsi/commit/cd62892c2706370b23d334ee28e07b20902
6909 0>. It is not caused by
<http://github.com/jitsi/jain-sip/tree/jitsi-oss- only/> itself, but how
its API is used. I have a working patch.

Normally, I would proceed directly with a Pull Request on GitHub. However,
there I am not able to mark it private and the current Jitsi FAQ states, I
have to report on the users (!) mailing-list first.

Pull Requests are usually fine, but we prefer that people ask before opening an issue (which often isn't one, but rather a question).

The issue is rather obvious for an attacker.

I don't see the problem. But well, I'm a developer and not an attacker.

Therefore, I do not see much
benefit by not disclosing it. However, I do not know the current policy by
the Jitsi team on security issues. Furthermore, although my patch works and
is backward compatible with older Java versions, I tested it in one scenario
only. There could be more scenarios, I am not aware of, yet. Therefore, the
patch might not be fully ready.

Another question: The issue unveiled because the JAIN-SIP library was
changed. I want to investigate the root cause of that issue (to present it in
my security class as learning object): Which source/project was used for as
JAIN-SIP library before April 2016?

There are various versions that were used previously:
- https://github.com/jitsi/jain-sip/commits/jitsi
- https://github.com/jitsi/jain-sip/commits/jitsi-oss-only
- https://github.com/jitsi/libsrc/blob/master/jsip.zip

Ingo


#3

Pull Requests are usually fine

There we go: <http://github.com/jitsi/jitsi/pull/347>

The issue is rather obvious for an attacker.

I don't see the problem. But well, I'm a developer and not an attacker.

I would not noticed it either, if I had not Wireshark running. I debugged an Opus Codec issue (in another SIP client) and was able to see/read the SIP messages. That made me curious, because my SIP server offers TLS-PFS. Therefore, I looked at the SSL/TLS layer, and found that issue. This issue can be leveraged by an automated MitM attack which does not need any human. Therefore, the ‘obvious’.

Which source was used for as JAIN-SIP library before April 2016?

There are various versions that were used previously: …

Mhm. I do not find the actual reason, why Jitsi (or JAIN-SIP) used the default TLS Cipher-Suites of the installed Java Runtime previously. Although this is an issue in JAIN-SIP as well, Jitsi should configure the TLS Cipher-Suites it requires. Therefore, my proposal in the above Pull Request.