[VoiceOps] Allworx Security Advisory

Stappenbeck, Mark MStappenbeck at allworx.com
Mon May 13 12:31:14 EDT 2013


J., 

Thank you for posting the advisory in a public place for the users of the list. 
It had been distributed to our partners, and distributors, and they passed the information on to their customers. 

The recent round of fraudulent calls were almost all the result of systems being installed in a manner that would leave the administrative interface open to the internet (not a system default configuration) and with either weak or default admin passwords. 
Some were the result of registering to the server using SIP credentials for third party (non Allworx) devices with weak, and sometimes matching, username and passwords. 
Some others occurred because Allworx handsets had been placed directly on the internet and either had the password for the phones administrative interface set to null, or the default. 
And lastly, there were a few cases with older phone software, if the handset was accessible from the internet, where copying part of a URI could allow access to the config file stored on the phone, and get the SIP registration parameters in the clear. 
The last one was definitely our bug, and has been remedied in later versions of software. 

Each release of new software includes security features along with normal "new" customer features. 
We also advise partners to keep the customers updated with the latest releases for these very reasons. 

I will not say that Allworx brushed any known issues off. 
I will say that we have taken many different approaches to let our partner community know what had been taking place, and reiterating the need to take all necessary precautions to keep their customers systems secure. 

I have seen very little from other manufacturers regarding these recent rounds of fraud attempts, and know that they have been compromised also, but I would hope that the fact that we have been open about them shows our dedication to keeping our customers secure and confident in our system. 

Thanks again, 

Mark Stappenbeck


-----Original Message-----
From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of J. Oquendo
Sent: Monday, May 13, 2013 9:27 AM
To: voiceops at voiceops.org; voipsec at voipsa.org
Subject: [VoiceOps] Allworx Security Advisory

Unsure why some of these vendors don't join this list. One of my clients who is an Allworx reseller, passed on the advisory.

www.infiltrated.net/Allworx_Service_Bulletin_Security_Advisory.pdf

I may (from the security standpoint) switch things up this year (vendors on this list beware). There are so many vulnerabilities that have yet to be addressed and although I am often torn about "disclosure," I WILL GO OUT on a whim and say Allworx knew this was an issue, and likely brushed it off as it was not reported.

So back to my "switching things up", to those vendors on this list, I suggest you go back to your security queues and get things in order. In these days and times, its darn right absurd for backdoor accounts, and letting security issues linger for years. 


-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
_______________________________________________
VoiceOps mailing list
VoiceOps at voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops



More information about the VoiceOps mailing list