Current Vendor: Jitsi
Vendor URL: https://jitsi.org
Versions affected: 1.x.x
Systems Affected: Jitsi Meet Electron
Authors: Robert Wessen robert[dot]wessen[at]nccgroup[dot]com
CVE Identifier: CVE-2020-27161
Risk: 5.3 (Medium) AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Summary & Impact

Jitsi Meet Electron includes apparent debugging code which ignores certificate validation errors, and therefore allows for man-in-the-middle attacks against limited, specially named Jitsi Meet servers.

Details

In what appears to be debugging code for local testing, Jitsi Meet Electron ignores certificate validation if a Jitsi Meet server name starts with ‘https://localhost’.

https://github.com/jitsi/jitsi-meet-electron/blob/40866232594442ea77d5144deebcd38ed3d362be/main.js#L187

The use of an open-ended regex pattern match means this certificate behavior applies to not onl servers on localhost (which is likely the intention) but also any remote server starting with the same characters. (ex: https://localhosting.example.example, https://localhoster.example.example)

In limited and constrained circumstances this could be used to defeat TLS protections for client communications.

Recommendation

Upgrade to version 2.0.0 or higher of the Jitsi Meet Electron client.

Vendor Communication

4/3/20 – Emailed Jitsi security contact address.
4/3/20 – Reply from Jitsi with PGP key.
4/3/20 – PoC and Draft Advisory shared by NCC Group.
4/7/20 – Jitsi released a beta build with a fix.
4/8/20 – Jitsi version 2.0.0 released, invoking the validation bypass code only when an explicit debug environment flag is set.
10/15/20 – CVE identifiers obtained.
10/22/20 – Public release of NCC Group technical advisory.

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Published