webrtcbin accepts remote SDP without a=fingerprint due to inverted presence check
Summary
A logic vulnerability was found in GStreamer's webrtcbin component. The _check_sdp_crypto() function contains an inverted boolean condition that causes it to accept remote SDP offers or answers that lack the required a=fingerprint attribute, while incorrectly rejecting those that include it. An attacker with the ability to intercept and modify WebRTC signaling messages could exploit this to bypass the SDP-level DTLS certificate fingerprint binding, weakening defenses against man-in-the-middle attacks on media streams. This vulnerability is rated as Low severity because exploitation requires man-in-the-middle access to the WebRTC signaling channel, which is typically TLS-protected. Additionally, the DTLS layer may still independently validate certificates, limiting the practical impact of this bypass. The webrtcbin component is shipped as part of gstreamer1-plugins-bad-free in Red Hat Enterprise Linux 8, 9, 10, and RHIVOS. The vulnerability weakens one layer of defense-in-depth but does not constitute a complete cryptographic break. Red Hat severity: Low — CVSS 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Weakness: CWE-670. Affected Red Hat products: Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9. Red Hat does not currently list a fixing RHSA for this CVE.
Mitigation checklist
- There is no complete mitigation for this vulnerability. The following measures can reduce risk: 1. Ensure WebRTC signaling channels use TLS encryption to prevent SDP modification in transit. 2. If WebRTC functionality is not required, remove the webrtcbin plugin shared object from the GStreamer plugins directory (typically /usr/lib64/gstreamer-1.0/libgstwebrtc.so).
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.