Data channel communication was incorrectly allowed with users who have failed DTLS certificate verification.
This attack requires
This attack can be detected by monitoring PeerConnectionState
in all versions of Pion WebRTC.
Users should upgrade to v3.0.15.
The exact patch is https://github.com/pion/webrtc/commit/545613dcdeb5dedb01cce94175f40bcbe045df2e
Users should listen for when PeerConnectionState
changes to PeerConnectionStateFailed
. When it enters this state users should not continue using the PeerConnection.
If you have any questions or comments about this advisory:
Thank you to https://github.com/Gaukas for discovering this.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/pion/webrtc/v3 | lt | 3.0.15 |