Full Report
The McAfee Advanced Threat Research (ATR) team is committed to uncovering security issues in both software and hardware to help... The post Don’t Call Us We’ll Call You: McAfee ATR Finds Vulnerability in Agora Video SDK appeared first on McAfee Blog.
Analysis Summary
# Vulnerability: Cleartext Transmission of Sensitive Information in Agora Video SDK
## CVE Details
- CVE ID: CVE-2020-25605
- CVSS Score: 7.5 (High)
- CWE: 319 (Cleartext Transmission of Sensitive Information)
## Affected Systems
- Products: Agora Video SDK
- Versions: Prior to version 3.2.1 (The fix was in 3.2.1, implying versions before this are vulnerable, specifically noted as prior to 3.1 in the CVSS string details).
- Configurations: Applications utilizing the vulnerable Agora Video SDK for voice and video communication.
## Vulnerability Description
The Agora Video SDK, prior to the mitigated version, transmitted sensitive information, specifically audio and video call data, unencrypted over the network (cleartext). This flaw could allow a remote, unauthenticated attacker observing the network traffic to gain unauthorized access to the content of ongoing private video and audio calls. The underlying issue stems from the lack of mandatory encryption for session setup information.
## Exploitation
- Status: PoC available (Implied by research detailing the attack vector using public SDK examples and documentation; McAfee is unaware of exploitation in the wild.)
- Complexity: Low (CVSS specifies Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: None - AV:N/AC:L/PR:N/UI:N)
- Attack Vector: Network
## Impact
- Confidentiality: High (Ability to obtain audio and video data)
- Integrity: None
- Availability: None
## Remediation
### Patches
- Agora SDK version **3.2.1** and newer fully mitigates this vulnerability by enforcing encryption options for initial call setup information.
### Workarounds
- Developers are strongly recommended to upgrade to the latest SDK version provided by Agora.
- Implement full encryption wherever possible in line with vendor best practices.
## Detection
- **Indicators of Compromise:** Monitoring network traffic for cleartext transmission of media streams originating from applications using the vulnerable Agora SDK components.
- **Detection Methods and Tools:** Network monitoring tools capable of deep packet inspection to check for non-encrypted RTP/media streams or call setup information associated with Agora proprietary protocols.
## References
- Vendor Advisory (Implied via the release of v3.2.1)
- McAfee ATR Research: hxxps://www.mcafee.com/blogs/other-blogs/mcafee-labs/call-an-exorcist-my-robots-possessed/
- Agora Website: hxxps://www.agora.io/en/