[VoiceOps] NOTICE: To all providers using the Grandstream HT502/HT503

Erik Flournoy erik at eespro.com
Wed Feb 6 17:29:54 EST 2013

Hey do you know if that affcts the GXW as well?

Erik Flournoy

This e-mail message, including any attachments from EESPRO.com - contain
information is intended only for the use of the individual named above and
may not be disseminated to any other party without written permission. If
you are not the intended recipient, or the employee or agent responsible
for delivering the message to the intended recipient, you are hereby
notified that any dissemination, disclosure, distribution, copying or
taking of any action in reliance on the contents of this e-mailed
information is strictly prohibited. If you have received this transmission
in error, please immediately notify info at eespro.com, and permanently delete
this e-mail and the attachments hereto, if any, and destroy any printout

On Wed, Feb 6, 2013 at 12:15 PM, Ryan Delgrosso <ryandelgrosso at gmail.com>wrote:

> All,
> Over the last few months we have uncovered a vulnerability in the HT502
> that allows for theft of credentials from customer devices. I am sending
> this out since the issue has now been resolved in a new release of firmware
> BUT Grandstream have NOT sent out any kind of pro-active notifications nor
> included this fix in their release notes for this build. After conferring
> with some other sizable providers also using this device at scale, they
> were able to "connect the dots" on their up-tick in fraud based on our
> discovery.
> First some history:
> We currently have over 50,000 deployed HT502's in active customer service.
> Beginning in December we saw an immediate and sizable up-tick in fraud by
> easily an order of magnitude.
> Statistical analysis of the fraud showed the ONLY linking factor to be the
> fact that the compromised accounts were ALL using the HT502 device AND had
> WAN port access enabled to the device, and we as the provider were locked
> out (admin password changed, no longer provisioning from us on scheduled
> interval)
> After some digging and conferring with Grandstream technical gurus it was
> confirmed there was a buffer overflow vulnerability that would allow a
> remote attacker to change the admin password WITHOUT rebooting the device
> or otherwise having any administrative access to it. Once the password was
> changed the attacker could log in with the new password and complete
> control. On all versions prior to the SIP credentials could be
> extracted from the admin website with the "Download config" option. On
> versions up to the sip credentials were STILL extractable from the
> telnet interface if the provisioning values were known by the attacker.
> All of these vulnerabilities are fixed in version I encourage you
> to test and deploy this version ASAP.
> I am sending this out in a purely advisory capacity in the hopes that
> education will prevent further monetary damages. Please feel free to
> contact me on or off list if you want to know more about this issue.
> -Ryan
> ______________________________**_________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/**mailman/listinfo/voiceops<https://puck.nether.net/mailman/listinfo/voiceops>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20130206/cf6846dd/attachment.html>

More information about the VoiceOps mailing list