Fedora Account System
Red Hat Associate
Red Hat Customer
A logic vulnerability was found in GStreamer's webrtcbin component (gst-plugins-bad). The _check_sdp_crypto() function in webrtcsdp.c contains an inverted boolean condition at lines 128-134 that causes it to accept remote SDP offers or answers that lack the required a=fingerprint attribute, while incorrectly rejecting those that include it. The check reads: if (!IS_EMPTY_SDP_ATTRIBUTE(message_fingerprint) && !IS_EMPTY_SDP_ATTRIBUTE(media_fingerprint)) Which means: if BOTH fingerprints ARE present, reject. The correct logic should reject when both are ABSENT. File: subprojects/gst-plugins-bad/ext/webrtc/webrtcsdp.c Function: _check_sdp_crypto() An attacker who can intercept and modify the WebRTC signaling channel can remove a=fingerprint attributes from SDP messages. The vulnerable webrtcbin will accept the modified SDP, bypassing the RFC 8122 fingerprint-to-DTLS-certificate binding. This weakens defenses against man-in-the-middle attacks on media streams. Practical impact is limited: exploitation requires MITM on the signaling channel (typically TLS-protected), and the DTLS layer may still independently validate certificates. This is a defense-in-depth bypass, not a complete cryptographic break. Affected: GStreamer gst-plugins-bad (reproduced on 1.28.3 and current main) Fixed: Planned for GStreamer 1.28.5 Fix MR: https://gitlab.freedesktop.org/gstreamer/gstreamer-security/-/merge_requests/98 Upstream issue: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5171 (confidential) Reporter: Clouditera Security; Z.ai Security; NSFOCUS PSIRT Ticket: PSIRTSUPT-19091