CVE-2021-28681: 
vulnerability analysis and mitigation

Pion WebRTC before version 3.0.15 contained a security vulnerability where the DTLS Connection was not properly terminated when certificate verification failed. While the PeerConnectionState was set to failed, users could ignore this state and continue using the PeerConnection, which violates the WebRTC security model that should prevent communication when verification fails. The vulnerability was discovered and disclosed on March 17, 2021 (GitHub Issue, GitHub Advisory).

The vulnerability stems from improper handling of DTLS certificate verification failures in the WebRTC implementation. When certificate verification failed during the PeerConnection handshake, the system would set the PeerConnectionState to failed but did not enforce termination of the data channel communication. This allowed continued communication even when certificate verification had failed, bypassing an important security check (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 5.3 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) (NVD).

The vulnerability could allow an attacker who knows the ICE password to establish and maintain data channel communication despite failing DTLS certificate verification. This compromises the security model of WebRTC by allowing potentially unauthorized communication channels to remain active (GitHub Advisory).

The vulnerability was patched in version 3.0.15 of Pion WebRTC. Users should upgrade to this version or later. As a workaround, users should implement monitoring of PeerConnectionState changes and immediately cease using the PeerConnection when it enters PeerConnectionStateFailed state (GitHub Advisory).