UC320W and asterisk security vulnerabilities

Efim Kuznetsov · ‎11-17-2015

UC320W listening 5064 port on WAN and any desirous can use your device as SIP proxy!

Efim Kuznetsov · ‎11-17-2015

Nov 13 20:03:44 UC320W user.debug voice: INVITE sip:+970599198685@X.X.X.X:5064 SIP/2.0
To: +970599198685<sip:+970599198685@X.X.X.X>
From: 1001<sip:1001@X.X.X.X>;tag=454bc890
Via: SIP/2.0/UDP 37.220.30.42:5076;branch=z9hG4bK-e3e3c7ba1733e591b791727d32b548cf;rport
Call-ID: e3e3c7ba1733e591b791727d32b548cf
CSeq: 1 INVITE
Contact: <sip:1001@37.220.30.42:5076>
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, BYE
User-Agent: sipcli/v1.8
Content-Type: application/sdp
Content-Length: 279

v=0
o=sipcli-Session 102773540 341735944 IN IP4 37.220.30.42
s=sipcli
c=IN IP4 37.220.30.42
t=0 0
m=audio 5077 RTP/AVP 18 0 8 101
a=fmtp:101 0-15
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=ptime:20
a=sendrecv

Nov 13 20:03:44 UC320W user.debug voice:

Nov 13 20:03:44 UC320W user.debug voice: [9]->37.220.30.42:5076(363)

Nov 13 20:03:44 UC320W user.debug voice: SIP/2.0 100 Trying
To: +970599198685<sip:+970599198685@X.X.X.X>
From: 1001<sip:1001@X.X.X.X>;tag=454bc890
Call-ID: e3e3c7ba1733e591b791727d32b548cf
CSeq: 1 INVITE
Via: SIP/2.0/UDP 37.220.30.42:5076;branch=z9hG4bK-e3e3c7ba1733e591b791727d32b548cf
Server: Cisco/UC320W-2.3.3(4)
Allow-Events: talk, hold, conference, x-spa-cti
Content-Length: 0

Efim Kuznetsov · ‎11-29-2015

I restrict this hole but this is far from an ideal solution, IMHO

http://192.168.10.1/admin/voice/

tab -> System

option -> Restricted Access Domains: your.sipproxy.com

*this works only before you click "Apply All Changes" in web admin

For permanent apply of this settings you must change config file via telnet. Also I use tftp to copy files to PC and back to router.

./home/usb_disk/cfg/misc/config.xml

line: <Restricted_Access_Domains>your.sipproxy.com</Restricted_Access_Domains>
   Line 2915: Nov 28 20:29:21 UC320W user.debug voice: SIP message from source IP 188.138.98.114 is blocked.
   Line 2939: Nov 28 20:32:18 UC320W user.debug voice: SIP message from source IP 198.7.62.118 is blocked.
   Line 2978: Nov 28 20:37:18 UC320W user.debug voice: SIP message from source IP 188.138.33.226 is blocked.
   Line 3643: Nov 28 21:48:37 UC320W user.debug voice: SIP message from source IP 198.7.62.118 is blocked.
   Line 4083: Nov 28 22:32:45 UC320W user.debug voice: SIP message from source IP 89.163.144.80 is blocked.
   Line 4314: Nov 28 23:00:10 UC320W user.debug voice: SIP message from source IP 50.30.37.184 is blocked.
   Line 5658: Nov 29 01:20:51 UC320W user.debug voice: SIP message from source IP 107.150.63.66 is blocked.
   Line 5917: Nov 29 01:54:25 UC320W user.debug voice: SIP message from source IP 85.25.237.51 is blocked.
   Line 6140: Nov 29 02:13:58 UC320W user.debug voice: SIP message from source IP 173.255.139.178 is blocked.
   Line 7980: Nov 29 03:52:41 UC320W user.debug voice: SIP message from source IP 188.138.75.89 is blocked.
   Line 8455: Nov 29 04:46:03 UC320W user.debug voice: SIP message from source IP 178.162.198.132 is blocked.
   Line 9254: Nov 29 06:06:44 UC320W user.debug voice: SIP message from source IP 161.202.40.186 is blocked.
   Line 9363: Nov 29 06:19:53 UC320W user.debug voice: SIP message from source IP 209.126.97.240 is blocked.
   Line 9495: Nov 29 06:34:02 UC320W user.debug voice: SIP message from source IP 188.138.98.114 is blocked.
   Line 9573: Nov 29 06:44:08 UC320W user.debug voice: SIP message from source IP 209.62.211.118 is blocked.
   Line 9620: Nov 29 06:49:31 UC320W user.debug voice: SIP message from source IP 188.138.33.226 is blocked.
   Line 11009: Nov 29 09:19:15 UC320W user.debug voice: SIP message from source IP 50.30.37.156 is blocked.
   Line 11152: Nov 29 09:38:38 UC320W user.debug voice: SIP message from source IP 212.129.7.254 is blocked.
   Line 11266: Nov 29 09:53:40 UC320W user.debug voice: SIP message from source IP 85.25.237.51 is blocked.
   Line 11725: Nov 29 10:47:34 UC320W user.debug voice: SIP message from source IP 85.25.237.51 is blocked.
   Line 13065: Nov 29 12:51:18 UC320W user.debug voice: SIP message from source IP 89.163.144.80 is blocked.
   Line 13067: Nov 29 12:51:18 UC320W user.debug voice: SIP message from source IP 89.163.144.80 is blocked.
   Line 13257: Nov 29 13:07:53 UC320W user.debug voice: SIP message from source IP 31.3.230.210 is blocked.

Efim Kuznetsov · ‎11-17-2015

Nov 12 04:37:47 UC320W user.debug voice: INVITE sip:0041215085034@X.X.X.X:5064 SIP/2.0
To: 0041215085034<sip:0041215085034@X.X.X.X>
From: 1002<sip:1002@X.X.X.X>;tag=4f56334e
Via: SIP/2.0/UDP 77.66.12.140:5070;branch=z9hG4bK-e7e00f8ce7745384199f7c940f1f41e1;rport
Call-ID: e7e00f8ce7745384199f7c940f1f41e1
CSeq: 1 INVITE
Contact: <sip:1002@77.66.12.140:5070>
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, BYE
User-Agent: sipcli/v1.8
Content-Type: application/sdp
Content-Length: 280

v=0
o=sipcli-Session 543029397 1353721986 IN IP4 77.66.12.140
s=sipcli
c=IN IP4 77.66.12.140
t=0 0
m=audio 5072 RTP/AVP 18 0 8 101
a=fmtp:101 0-15
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=ptime:20
a=sendrecv

Nov 12 04:37:47 UC320W user.debug voice:

Nov 12 04:37:47 UC320W user.debug voice: [9]->77.66.12.140:5070(363)

Nov 12 04:37:47 UC320W user.debug voice: SIP/2.0 100 Trying
To: 0041215085034<sip:0041215085034@X.X.X.X>
From: 1002<sip:1002@X.X.X.X>;tag=4f56334e
Call-ID: e7e00f8ce7745384199f7c940f1f41e1
CSeq: 1 INVITE
Via: SIP/2.0/UDP 77.66.12.140:5070;branch=z9hG4bK-e7e00f8ce7745384199f7c940f1f41e1
Server: Cisco/UC320W-2.3.3(4)
Allow-Events: talk, hold, conference, x-spa-cti
Content-Length: 0

Stephen Wyndham · ‎11-22-2015

Ended up dumping UC320W for freepbx - endpoint manager is pretty ordinary but compared to the UC limitations I can live with it