PT-2020-18674 · Signal · Signal Private Messenger

David Wells

Published

2020-05-20

Updated

2022-04-07

CVE-2020-5753

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Signal Private Messenger Android versions 4.59.0 and up Signal Private Messenger iOS versions 3.8.1.5 and up

Description The issue allows a remote non-contact to ring a victim's Signal phone and disclose the currently used DNS server due to ICE Candidate handling before the call is answered or declined. This occurs because of improper handling of ICE candidates, which can lead to information disclosure about the victim's network setup.

Recommendations For Signal Private Messenger Android versions 4.59.0 and up, consider disabling call functionality until a patch is available. For Signal Private Messenger iOS versions 3.8.1.5 and up, restrict access to call features to minimize the risk of exploitation.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-670

Related Identifiers

CVE-2020-5753

Affected Products

Signal Private Messenger

PT-2020-18674 · Signal · Signal Private Messenger

CVE-2020-5753

Weakness Enumeration

Related Identifiers

Affected Products

References · 6