PT-2021-17901 · Unknown · Pion Webrtc

Gaukas

Published

2021-03-18

Updated

2021-07-28

CVE-2021-28681

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions: Pion WebRTC versions prior to 3.0.15

Description: The issue arises from improper teardown of the DTLS connection when certificate verification fails. As a result, data channel communication is incorrectly allowed with users who have failed DTLS certificate verification. This can occur when an attacker knows the ICE password and the attack takes place during the PeerConnection handshake. The issue can be detected by monitoring the PeerConnectionState in all versions of Pion WebRTC.

Recommendations: For versions prior to 3.0.15, users should upgrade to v3.0.15 to resolve the issue. As a temporary workaround, users should listen for when PeerConnectionState changes to PeerConnectionStateFailed and not continue using the PeerConnection when it enters this state.

Exploit

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2021-28681

GHSA-74XM-QJ29-CQ8P

GO-2021-0104

Affected Products

Pion Webrtc

PT-2021-17901 · Unknown · Pion Webrtc

CVE-2021-28681

Weakness Enumeration

Related Identifiers

Affected Products

References · 13