CVE-2022-46871 - libusrsctp

Jean-Baptiste Truffault

unread,

Mar 25, 2023, 6:59:38 AM3/25/23

to kurento

Dears,

The CVE-2022-46871 has been published in december of 2022: https://nvd.nist.gov/vuln/detail/CVE-2022-46871

It affects the libusrsctp that is included in Kurento.

Mozilla corrected Firefox and Thunderbird but I haven't seen any correction concerning Kurento.

Do you know if Kurento is affected ?

Regards

Neil Young

unread,

Mar 25, 2023, 8:38:08 AM3/25/23

to kurento

I quickly checked the lib on my KMS 7 installation. Since KMS 7 uses provided system libs, the libusrsctp is having the same version as installed with Ubuntu 20.04

ubuntu@kms7:~$ sudo dpkg -l | grep libusrsctp

ii libusrsctp1:amd64 0.9.3.0+20190901-1 amd64 portable SCTP userland stack - shared library

From the date (2019) I would suppose, that this lib is not up to date w.r.t. the fix mentioned above (I wasn't able to figure what kind of vulnerability is fixed).

On my KMS 6 source installations I used the fork provided by Kurento (https://github.com/Kurento/libusrsctp). The last commit into this repo has been made 2019 and a comment suggests, that it is based on version 0.9.2 of that lib.

So also here most likely also outdated.

Neil Young

unread,

Mar 25, 2023, 8:44:22 AM3/25/23

to kurento

But from the release history of that lib I cannot see any patch/release related to that issue. Do you know details?

https://github.com/sctplab/usrsctp/releases

Last release Jan 2021... Not sure if I'm checking the same you are concerned about :)

Jean-Baptiste Truffault

unread,

Mar 25, 2023, 9:36:06 AM3/25/23

to kur...@googlegroups.com

We have the same conclusion: I haven't seen any patch either on the lib !

The correction of Firefox and Thunderbird focus on modifying some function calls (not the entire lib since it has not been updated). I guess that only those are vulnerable.

The thing is, I haven't found any details of the vulnerability, so I cannot say if Kurento is actually relying on the vulnerable part of the lib..

I was wondering if Kurento developers had more information about this !

Regards

--
You received this message because you are subscribed to the Google Groups "kurento" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kurento+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kurento/8f09e80b-48e5-484d-a208-bdd82db8b3e1n%40googlegroups.com.

Neil Young

unread,

Mar 25, 2023, 10:10:29 AM3/25/23

to kurento

For instance here:

https://phabricator.services.mozilla.com/rMOZILLACENTRAL523c7a1138c26816fd3f2bbea78da69e2c43075e

If you for instance check the changes in "netwerk/sctp/src/netinet/sctp_asconf.c" and compare that with a given original line (https://github.com/sctplab/usrsctp/blob/f9f95023816b61a2f257d2fb77658dceaea7213f/usrsctplib/netinet/sctp_asconf.c#L557), then you'll see, that they (Mozilla) must have made these changes in a fork of that lib.

However, it is not a trivial change and details about the vulnerability are not disclosed, so w/o further information about the nature of possible attacks it will be hard to see, what's cooking.

That being said: If there is such a gap in Kurento KMS then it is what it is and most likely it will never be fixed (I'm not speaking for Kurento, anyway, but I doubt that there will be action on this).

Some of the comments also look as like what you've said: The fixed some use scenarios of the library code on their end, but the last commit is really heavy...