0

We have a Fortigate perimeter firewall, and today I detected this event.

  • What should I do to improve protection?
  • How can someone obtain local IP address through a firewall?

The following alert was observed: 

"WebRTC.Local.IP.Addresses.Disclosure".
     date=2019-06-18 time=14:35:25 devname=xxxx devid=FG200ETK18901992 
     logid="0419016384" type="utm" subtype="ips" eventtype="signature" 
     level="alert" vd="root" eventtime=1560848725 severity="medium" srcip=y.y.y.y
     srccountry="aaaaaa" dstip=x.x.x.x srcintf="wan1" srcintfrole="wan"
     dstintf="port1" dstintfrole="lan" sessionid=158214294 
action="dropped" proto=6 service="HTTP" policyid=40 attack="WebRTC.Local.IP.Addresses.Disclosure" srcport=80 dstport=57383 

hostname="pxlclnmdecom-a.akamaihd.net" direction="incoming" attackid=40038 
profile="default" ref="http://www.fortinet.com/ids/VID40038" 
incidentserialno=13903968 msg="web_app3: 
WebRTC.Local.IP.Addresses.Disclosure," crscore=10 crlevel="medium"...
multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
Infra
  • 650
  • 1
  • 6
  • 19

2 Answers2

1

It appears the offending traffic was dropped, since your output contains action="dropped".

Searching for your exact title led me to the FortiGuard Encyclopedia, which explains the issue:

This indicates an attempt to obtain the IP addresses of a user through WebRTC in various browsers. The issue is due to a design in various browsers when handling WebRTC calls that probes STUN server to obtain a user's IP address. A potentially malicious actor can exploit this to obtain a user's local and public IP addresses, via a crafted web page.

Further, the same page links to some example JavaScript code that demonstrates how this works.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
-1

This was dropped by the Fortigate so there is nothing to change. The issue with this is the disclosure of the internal network. To check/fix your browsers go here: https://browserleaks.com/webrtc#webrtc-disable

chris
  • 1