CVE-2020-5753 : Security Advisory and Response

Signal Private Messenger Android v4.59.0 and up and iOS v3.8.1.5 and up allows a remote non-contact to ring a victim's Signal phone and disclose currently used DNS server due to ICE Candidate handling before call is answered or declined.

Understanding CVE-2020-5753

This CVE involves an information disclosure vulnerability in Signal Private Messenger.

What is CVE-2020-5753?

CVE-2020-5753 is a security vulnerability in Signal Private Messenger that enables a remote non-contact to ring a victim's Signal phone and reveal the currently used DNS server.

The Impact of CVE-2020-5753

The vulnerability allows unauthorized access to sensitive information, compromising user privacy and potentially leading to further security breaches.

Technical Details of CVE-2020-5753

This section provides detailed technical information about the CVE.

Vulnerability Description

Signal Private Messenger Android v4.59.0 and up and iOS v3.8.1.5 and up are affected by a flaw that allows a remote attacker to disclose the victim's currently used DNS server.

Affected Systems and Versions

Product: Signal Private Messenger
Versions: Android versions v4.59.0 and up, iOS versions v3.8.1.5 and up

Exploitation Mechanism

The vulnerability occurs due to ICE Candidate handling before a call is answered or declined, enabling the disclosure of the DNS server.

Mitigation and Prevention

Protecting against and addressing the CVE.

Immediate Steps to Take

Update Signal Private Messenger to the latest version immediately.
Avoid answering calls from unknown or suspicious contacts.
Regularly monitor for any unusual activity on the device.

Long-Term Security Practices

Use strong, unique passwords for all accounts.
Enable two-factor authentication where possible.
Stay informed about security updates and best practices.

Patching and Updates

Stay informed about security updates for Signal Private Messenger.
Apply patches promptly to ensure protection against known vulnerabilities.