FYI - Security vulnerability with Allworx
Posted: Thu Feb 28, 2013 12:41 am
http://www.reddit.com/r/sysadmin/commen ... erability/
I recently had the same thing happen on a system as the author reports in this link. Essentially, if a sip hacker can access the web port (80) of an Allworx phone, they are able to retrieve the phone's sip registration info. Once the hacker combines this with the spoofed mac address of the phone, which Allworx provides without even logging into the phone, the hacker is able to trick the Allworx server into thinking they have a legitimate and properly registered phone, have all the rights of that handset/user combination.... and can place outbound calls. This is primarily a concern for those who have deployed remote phones.
Obviously, if any remote phones have been placed in a DMZ or are otherwise not protected by a firewall and accessible over the wan, they are vulnerable to this hack. If you or the remote phone user has forwarded port 80 to the phone, it is vulnerable. It is not uncommon for users who have a remote phone at home to place their phone in their router's DMZ due to nat issues with some home routers, and their lack of understanding how to forward or open ports for their phones. To them, the DMZ works, so no reason to care otherwise.
I would strongly suggest doing a quick check of all your remote phones and making sure that port 80 is not available over the wan on any of them. I would also recommend adding international area codes to the blocked numbers list in your system's Dialing Privileges Group (under dial plan). Many ITSP's block international calls by default, but not all of them. It might also be worth checking with your ITSP's if they block them or have any kind of abuse protection in place.
I recently had the same thing happen on a system as the author reports in this link. Essentially, if a sip hacker can access the web port (80) of an Allworx phone, they are able to retrieve the phone's sip registration info. Once the hacker combines this with the spoofed mac address of the phone, which Allworx provides without even logging into the phone, the hacker is able to trick the Allworx server into thinking they have a legitimate and properly registered phone, have all the rights of that handset/user combination.... and can place outbound calls. This is primarily a concern for those who have deployed remote phones.
Obviously, if any remote phones have been placed in a DMZ or are otherwise not protected by a firewall and accessible over the wan, they are vulnerable to this hack. If you or the remote phone user has forwarded port 80 to the phone, it is vulnerable. It is not uncommon for users who have a remote phone at home to place their phone in their router's DMZ due to nat issues with some home routers, and their lack of understanding how to forward or open ports for their phones. To them, the DMZ works, so no reason to care otherwise.
I would strongly suggest doing a quick check of all your remote phones and making sure that port 80 is not available over the wan on any of them. I would also recommend adding international area codes to the blocked numbers list in your system's Dialing Privileges Group (under dial plan). Many ITSP's block international calls by default, but not all of them. It might also be worth checking with your ITSP's if they block them or have any kind of abuse protection in place.