Login Sign Up

CVE-2022-23228

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2022-23228 is an improper WebRTC input validation vulnerability in Pexip Infinity that allows unauthenticated remote attackers to cause denial of service by consuming excessive resources. This affects all Pexip Infinity deployments before version 27.0, potentially disrupting video conferencing services.

💻 Affected Systems

Products:
  • Pexip Infinity
Versions: All versions before 27.0
Operating Systems: All supported Pexip Infinity platforms
Default Config Vulnerable: ⚠️ Yes
Notes: All Pexip Infinity deployments with WebRTC enabled are vulnerable in default configuration.

📦 What is this software?

Pexip Infinity by Pexip

View all CVEs affecting Pexip Infinity →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of Pexip Infinity platform, disrupting all video conferences and collaboration services for extended periods.

🟠

Likely Case

Temporary service degradation or intermittent outages affecting some conferences until resources are restored.

🟢

If Mitigated

Minimal impact with proper rate limiting, resource monitoring, and network segmentation in place.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation makes internet-facing instances particularly vulnerable.
🏢 Internal Only: MEDIUM - Internal attackers could still exploit, but requires network access.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability requires sending malformed WebRTC packets, which is relatively straightforward for attackers with basic networking knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 27.0 and later

Vendor Advisory: https://docs.pexip.com/admin/security_bulletins.htm

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Upgrade Pexip Infinity to version 27.0 or later. 3. Restart all Pexip Infinity services. 4. Verify WebRTC functionality post-upgrade.

🔧 Temporary Workarounds

Disable WebRTC

all

Temporarily disable WebRTC functionality to prevent exploitation while planning upgrade.

pexip --disable-webrtc

Implement Rate Limiting

linux

Configure network-level rate limiting for WebRTC traffic to reduce attack surface.

iptables -A INPUT -p udp --dport 3478 -m limit --limit 100/min -j ACCEPT
iptables -A INPUT -p udp --dport 3478 -j DROP

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Pexip Infinity from untrusted networks
  • Deploy Web Application Firewall (WAF) with WebRTC-specific rules and rate limiting

🔍 How to Verify

Check if Vulnerable:

Check Pexip Infinity version via admin interface or CLI: if version is below 27.0, system is vulnerable.

Check Version:

pexip --version

Verify Fix Applied:

Verify version is 27.0 or higher and test WebRTC connections remain functional.

📡 Detection & Monitoring

Log Indicators:

  • Unusual WebRTC connection spikes
  • Resource exhaustion warnings in system logs
  • Failed WebRTC handshake attempts

Network Indicators:

  • Abnormal UDP traffic on port 3478 (STUN)
  • High volume of WebRTC packets from single sources
  • Malformed WebRTC SDP offers

SIEM Query:

source="pexip" AND ("resource exhaustion" OR "webrtc error" OR "connection spike")

📊 Metadata

CVE ID: CVE-2022-23228
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-770
Published: February 18, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-23228, you might also want to check these:

CVE-2024-44241 9.8

This vulnerability in DCP firmware allows attackers to execute arbitrary code or cause system crashe...

Same vulnerability type (CWE-770)
CVE-2025-11832 9.8

This CVE describes a resource allocation vulnerability in Azure Access Technology BLU-IC2 and BLU-IC...

Same vulnerability type (CWE-770)
CVE-2021-47875 9.8

GeoGebra CAS Calculator 6.0.631.0 contains a buffer overflow vulnerability that allows attackers to ...

Same vulnerability type (CWE-770)