CVE-2020-5753: 
NixOS vulnerability analysis and mitigation

Signal Private Messenger for Android v4.59.0 and up and iOS v3.8.1.5 and up contained a vulnerability that allows a remote non-contact to ring a victim's Signal phone and disclose the currently used DNS server due to ICE Candidate handling before a call is answered or declined. The vulnerability was discovered in early 2020 and was assigned CVE-2020-5753 (Tenable Advisory).

The vulnerability stems from how WebRTC processes ICE Candidates, which occurs before a user decides to answer an incoming Signal call. While a callee's IP address can be hidden using Signal's 'Always Relay Calls' setting, ICE Candidates support domain names that allow an attacker to force a callee to resolve during the signaling process. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability can result in a remote attacker obtaining coarse information by leaking the DNS server IP of a Signal user, which may disclose approximate location as well as changes in internet connections. If the Signal user is using a DNS that implements EDNS Client Subnet, part of the user's IP address could also be exposed, resulting in more precise location and network disclosure (Tenable Advisory).

Users should update to Signal Android version 4.59.11 or Signal iOS version 3.8.4 to address this vulnerability. The fix was implemented after coordination between Tenable and the Signal security team (Tenable Advisory).