{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/ex_webrtc--0.16.0/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ex_webrtc (\u003c 0.15.1)","ex_webrtc (= 0.16.0)"],"_cs_severities":["high"],"_cs_tags":["webrtc","dtls","mitm","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Erlang"],"content_html":"\u003cp\u003eThe \u003ccode\u003eex_webrtc\u003c/code\u003e library, a WebRTC implementation for Erlang, is susceptible to a security vulnerability due to missing DTLS peer certificate fingerprint validation in the DTLS client role. Specifically, versions prior to 0.15.1 and version 0.16.0 fail to properly validate the fingerprint of the peer\u0026rsquo;s certificate when acting as a DTLS client. This occurs when answering a remote offer with \u003ccode\u003ea=setup:actpass\u003c/code\u003e, which is the default behavior for browsers. This oversight eliminates a crucial component of WebRTC\u0026rsquo;s mutual DTLS authentication, leaving the security of media and data channels dependent solely on the remote peer\u0026rsquo;s fingerprint verification. While this vulnerability alone does not allow passive eavesdropping on SRTP media against standards-compliant browsers using TLS-protected signalling, it enables a full man-in-the-middle attack when combined with insecure signalling protocols or a peer with similar validation flaws.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker intercepts the initial SDP offer from a legitimate client to the vulnerable \u003ccode\u003eex_webrtc\u003c/code\u003e server using insecure signalling (e.g., HTTP or plain WebSocket).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the SDP offer, replacing the legitimate client\u0026rsquo;s DTLS fingerprint with their own.\u003c/li\u003e\n\u003cli\u003eThe attacker forwards the modified SDP offer to the vulnerable \u003ccode\u003eex_webrtc\u003c/code\u003e server.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eex_webrtc\u003c/code\u003e server, acting as the DTLS client, initiates a DTLS handshake with the attacker using the attacker\u0026rsquo;s fingerprint due to the missing validation.\u003c/li\u003e\n\u003cli\u003eThe attacker presents a valid certificate to the \u003ccode\u003eex_webrtc\u003c/code\u003e server, completing the DTLS handshake successfully.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the SDP answer from the \u003ccode\u003eex_webrtc\u003c/code\u003e server, which now contains the attacker\u0026rsquo;s fingerprint.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the SDP answer, replacing their fingerprint with the legitimate server\u0026rsquo;s fingerprint.\u003c/li\u003e\n\u003cli\u003eThe attacker forwards the modified SDP answer to the legitimate client, establishing a secure connection between the client and the attacker, effectively completing the MITM attack and allowing interception of media and data channels.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows an attacker to perform a man-in-the-middle attack on WebRTC connections using \u003ccode\u003eex_webrtc\u003c/code\u003e, potentially affecting any application that relies on this library for secure communication. Successful exploitation could lead to the interception and manipulation of audio/video media (SRTP) and data channels (SCTP-over-DTLS). The impact is heightened when used with insecure signaling methods, increasing the attack surface. While the number of affected applications is unknown, the potential for widespread compromise of WebRTC-based communication channels exists.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003eex_webrtc\u003c/code\u003e to version 0.15.1 or 0.16.1 to patch the missing DTLS fingerprint validation as advised in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-qwfw-ggxw-577c\"\u003ehttps://github.com/advisories/GHSA-qwfw-ggxw-577c\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect ExWebrtc DTLS Handshake Without Fingerprint Validation\u003c/code\u003e to identify potentially vulnerable \u003ccode\u003eex_webrtc\u003c/code\u003e instances negotiating DTLS connections without proper fingerprint validation.\u003c/li\u003e\n\u003cli\u003eIf insecure signaling protocols (HTTP/plain WebSocket) are in use, migrate to secure alternatives like HTTPS or WSS to prevent SDP rewrite attacks, mitigating the impact of CVE-2026-44700.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-08T17:08:18Z","date_published":"2026-05-08T17:08:18Z","id":"/briefs/2026-05-ex-webrtc-dtls-bypass/","summary":"The ex_webrtc library is vulnerable to a man-in-the-middle attack due to missing DTLS peer certificate fingerprint validation in the DTLS client role, potentially allowing interception of media and data channels when chained with insecure signaling or a peer with similar validation gaps; upgrade to versions 0.15.1 or 0.16.1 to mitigate this vulnerability.","title":"ex_webrtc Missing DTLS Fingerprint Validation Allows MITM","url":"https://feed.craftedsignal.io/briefs/2026-05-ex-webrtc-dtls-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Ex_webrtc (= 0.16.0)","version":"https://jsonfeed.org/version/1.1"}