Skip to content

[FCE-3227] Fix DTLS fingerprint not being validated in certain cases#250

Merged
sgfn merged 2 commits into
masterfrom
fix/FCE-3227-dtls-fingerprint-not-validated
May 4, 2026
Merged

[FCE-3227] Fix DTLS fingerprint not being validated in certain cases#250
sgfn merged 2 commits into
masterfrom
fix/FCE-3227-dtls-fingerprint-not-validated

Conversation

@sgfn

@sgfn sgfn commented Apr 27, 2026

Copy link
Copy Markdown
Member

This is a bugfix for a vulnerability found by @songxpu

As stated in the issue #249, when ExDTLS returned :handshake_finished with no packets, the actual peer fingerprint was not validated to match the one passed in the SDP offer/answer. Skipping this check is presumed to allow man-in-the-middle attacks which hijack the DTLS key exchange process and could therefore compromise the E2E encryption of the media being sent.

After this PR is merged, I recommend:

  • creating bugfix releases for the two most recent minor releases: 0.15.1, 0.16.1
  • retiring releases 0.15.0, 0.16.0
  • informing the community about this vulnerability and the extent we believe it could be (or have been) exploited

Additional research is needed to confirm the severity of this vulnerability, which was reported as critical

@sgfn sgfn requested a review from Karolk99 April 27, 2026 14:09
@linear

linear Bot commented Apr 27, 2026

Copy link
Copy Markdown

FCE-3227 Vulnerability Report: Missing Peer Fingerprint Validation After DTLS Finished

@codecov

codecov Bot commented Apr 27, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 85.71429% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 88.14%. Comparing base (edd7530) to head (d0c6ca3).
⚠️ Report is 1 commits behind head on master.

Files with missing lines Patch % Lines
lib/ex_webrtc/dtls_transport.ex 85.71% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #250      +/-   ##
==========================================
+ Coverage   88.01%   88.14%   +0.13%     
==========================================
  Files          59       59              
  Lines        2836     2834       -2     
==========================================
+ Hits         2496     2498       +2     
+ Misses        340      336       -4
Files with missing lines Coverage Δ
lib/ex_webrtc/dtls_transport.ex 84.75% <85.71%> (+1.02%) ⬆️

... and 1 file with indirect coverage changes

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update edd7530...d0c6ca3. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@sgfn sgfn merged commit 658c632 into master May 4, 2026
3 checks passed
@sgfn sgfn deleted the fix/FCE-3227-dtls-fingerprint-not-validated branch May 4, 2026 10:40
@sgfn

sgfn commented May 4, 2026

Copy link
Copy Markdown
Member Author

Released 0.15.1 and 0.16.1. Advisory available here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Karolk99 Karolk99 Karolk99 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sgfn @Karolk99