[VoiceOps] NOTICE: To all providers using the Grandstream HT502/HT503
Ryan Delgrosso
ryandelgrosso at gmail.com
Wed Feb 6 17:34:57 EST 2013
Plausible since I see a firmware release for the same and based on my
experience they largely share the same codebase.
On 02/06/2013 02:29 PM, Erik Flournoy wrote:
> Hey do you know if that affcts the GXW as well?
>
>
> Erik Flournoy
> 808-426-4527
> 301-218-7325
>
> CONFIDENTIALITY NOTICE
> This e-mail message, including any attachments from EESPRO.com -
> contain information which is CONFIDENTIAL AND/OR LEGALLY PRIVILEGED.
> The information is intended only for the use of the individual named
> above and may not be disseminated to any other party without written
> permission. If you are not the intended recipient, or the employee or
> agent responsible for delivering the message to the intended
> recipient, you are hereby notified that any dissemination, disclosure,
> distribution, copying or taking of any action in reliance on the
> contents of this e-mailed information is strictly prohibited. If you
> have received this transmission in error, please immediately notify
> info at eespro.com <mailto:info at eespro.com>, and permanently delete this
> e-mail and the attachments hereto, if any, and destroy any printout
> thereof.
>
>
> On Wed, Feb 6, 2013 at 12:15 PM, Ryan Delgrosso
> <ryandelgrosso at gmail.com <mailto:ryandelgrosso at gmail.com>> wrote:
>
> All,
> Over the last few months we have uncovered a vulnerability in the
> HT502 that allows for theft of credentials from customer devices.
> I am sending this out since the issue has now been resolved in a
> new release of firmware BUT Grandstream have NOT sent out any kind
> of pro-active notifications nor included this fix in their release
> notes for this build. After conferring with some other sizable
> providers also using this device at scale, they were able to
> "connect the dots" on their up-tick in fraud based on our discovery.
>
>
> First some history:
>
> We currently have over 50,000 deployed HT502's in active customer
> service.
>
> Beginning in December we saw an immediate and sizable up-tick in
> fraud by easily an order of magnitude.
>
> Statistical analysis of the fraud showed the ONLY linking factor
> to be the fact that the compromised accounts were ALL using the
> HT502 device AND had WAN port access enabled to the device, and we
> as the provider were locked out (admin password changed, no longer
> provisioning from us on scheduled interval)
>
> After some digging and conferring with Grandstream technical gurus
> it was confirmed there was a buffer overflow vulnerability that
> would allow a remote attacker to change the admin password WITHOUT
> rebooting the device or otherwise having any administrative access
> to it. Once the password was changed the attacker could log in
> with the new password and complete control. On all versions prior
> to 1.0.5.10 the SIP credentials could be extracted from the admin
> website with the "Download config" option. On versions up to
> 1.0.8.4 the sip credentials were STILL extractable from the telnet
> interface if the provisioning values were known by the attacker.
>
> All of these vulnerabilities are fixed in version 1.0.9.1. I
> encourage you to test and deploy this version ASAP.
>
>
> I am sending this out in a purely advisory capacity in the hopes
> that education will prevent further monetary damages. Please feel
> free to contact me on or off list if you want to know more about
> this issue.
>
> -Ryan
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>
> https://puck.nether.net/mailman/listinfo/voiceops
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20130206/558e677d/attachment.html>
More information about the VoiceOps
mailing list