UC540 Security Vulnerability?

amelling1 · ‎11-04-2011

I have been having hundreds of very short international calls being placed. My telco tells me that the calls appear to be legitimately coming from our UC540 (through sip trunk).

I have checked all of our user handsets, as well as questioned my staff (who I feel are trustworthy) and I'm convinced that these calls are not being placed by us. moreover, the calls range from 2 to 82 seconds, hardly long enough to have a meaningful conversation. My telco speculates that there may be some kind of vulnerability with my voice mail system which may allow people to call in and gain access to the box, giving them everything they need to make calls.

I contacted cisco support about it and was all ready to go with my CDR files zipped up, just waiting for the ace support rep to interpret the data and let me know exactly what happened. I was told that the support staff themselves have no way of interpreting their own logs.

Please take a moment and allow that to sink in - Cisco support reps cannot read Cisco CDR files. He pointed me at a number of non-Cisco software products that have been designed to read the files, which I would have to purchase and wade through myself. I was shocked. When I asked him if he thought it was odd that Cisco couldn't provide him with a tool (even a tool someone else had developed) to read the log files created by the device he was hired to support, he responded very casually and said that this is quite normal. ok, I guess I should be fine with this then.

If you purchased a brand new TV that kept log files of all activity, and you were notified by your cable co. that all kinds of specialty channels and pay-per-view events were being erroneously ordered, but the support rep of the TV manufacturer couldn't interpret the files, would this be acceptable to you?

Anyway, I now have to fix the problem and then report to our president what happened, how it happened, how it was fixed and what is preventing it from happening in the future. Has anyone had a similar problem? what did you do about it?

Here are my specs:

Cisco IOS Software, UC500 Software (UC500-ADVIPSERVICESK9-M), Version 15.0(1)XA3a, SBTG Special
Small Business Support: http://www.cisco.com/go/smallbizhelp
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 08-Jun-10 13:40 by SBTG

ROM: System Bootstrap, Version 12.4(11r)XW3, RELEASE SOFTWARE (fc1)

I know there are newer IOS versions - Please don't just give me the "upgrade the software" advice unless you can point at documentation that describes the vulnerability in my version

Thanks in advance,

danplacek · ‎11-04-2011

Sounds like an ACL problem to me. I would check to see if you have an ACL applied to your SIP server. CCA generally does this by default... If you are on newer firmware you can use "ip address trust list" in the "voice service voip" section.

http://www.cisco.com/en/US/tech/tk652/tk90/technologies_tech_note09186a0080b3e123.shtml

If these calls are happening very often, you could probably even observe one using "debug ccsip messages".

craig.corbett · ‎11-04-2011

Was this a CCA implemented solution or CLI or both? If CCA what version?

I hope it wasn’t CCA based as I’m sure 99% with UC540 and UC560 here uses the CCA to manage their system.

Either way please post your dial peer config and acl config with config showing where the acls are applied.

Darren DeCroock · ‎11-04-2011

Hello Andrew,

I know that you don't want to hear upgrade, but the only reason that I mention it is the "Toll Fraud App". Which Daniel mentioned above. I am not positive, but I don't think the Toll Fraud App was added until a later release of the IOS. You can check for sure by going into CLI, into the "voice service voip" section and try adding "ip address trust list" to see if it will accept the command. If not, then a newer IOS is required for the Toll Fraud App.

The Toll Fraud App will block SIP calls from any IP addresses not inputed by you.. Which should only be the IP addresses your SIP provider would be sending call to you from.

Thank you,

Darren