Current Vendor: Jitsi Vendor URL: https://jitsi.org Versions affected: 1.x.x Systems Affected: Jitsi Meet Electron Authors: Robert Wessen robert[dot]wessen[at]nccgroup[dot]com CVE Identifier: CVE-2020-27161 Risk: 5.3 (Medium) AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Summary & Impact
Jitsi Meet Electron includes apparent debugging code which ignores certificate validation errors, and therefore allows for man-in-the-middle attacks against limited, specially named Jitsi Meet servers.
In what appears to be debugging code for local testing, Jitsi Meet Electron ignores certificate validation if a Jitsi Meet server name starts with ‘https://localhost’.
The use of an open-ended regex pattern match means this certificate behavior applies to not onl servers on localhost (which is likely the intention) but also any remote server starting with the same characters. (ex: https://localhosting.example.example, https://localhoster.example.example)
In limited and constrained circumstances this could be used to defeat TLS protections for client communications.
Upgrade to version 2.0.0 or higher of the Jitsi Meet Electron client.
4/3/20 – Emailed Jitsi security contact address.
4/3/20 – Reply from Jitsi with PGP key.
4/3/20 – PoC and Draft Advisory shared by NCC Group.
4/7/20 – Jitsi released a beta build with a fix.
4/8/20 – Jitsi version 2.0.0 released, invoking the validation bypass code only when an explicit debug environment flag is set.
10/15/20 – CVE identifiers obtained.
10/22/20 – Public release of NCC Group technical advisory.
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.