WebRTC traffic going through Cloudfront

Hello, on Nov 6th our managed network provider started seeing WebRTC threats (CVE-2018-6849) to Cloudfront IP addresses.

Prior to Nov 6th these were not appearing, nothing has changed on the network/security configuration. Has anything changed with Genesys Cloud to start causing this? We are having to look into whitelisting this CVE/threat, but I don't see any mention of cloudfront or the IPs we are seeing in the documentation, ie: "IP addresses for the firewall allowlist"

Just for example here is some of the traffic that was dropped.

Hello @crw1987 ,

What is the Source device in this case? A WebRTC client? A premises Edge device? If it's a WebRTC client, what type of client is it?

Thanks!

The source device is a WebRTC client, it is the "Genesys Cloud" windows App, but it is also happening from the browser App with Edge and Chrome.

Thank you. Looking for a little more detail... what region is this Org in? And you're sure these connections are only attempted during WebRTC calls?

We are in US East region, and this actually happens before login. The app or website simply go to a blank white screen and never load or prompt for credentials when this traffic is dropped/blocked.

We have temporarily allowed it for the time being and can now log in. Based on the CVE description it sounds like the app/service might be trying to find the local IP address some how, but it only started on Nov 6th. Our provider's firewall was monitoring for this threat prior to that, and according to Fortinet their threat definitions haven't been updated since 2021.

I was skeptical these requests were due to WebRTC, but upon hearing they are pre-login I'm reasonably certain they are not. I suggest gathering console logs to see what the specific requests are and going from there.

@crw1987 please open a case with Genesys Cloud Care to continue this investigation. Because this is a public forum, there is no means to securely transmit potentially sensitive data such as a browser's network logs.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.