** Security issue with Bandwidth.com **
I just found a major security issue with 2 systems using Bandwidth.com. The end users are unrelated.
The issue is with Bandwidth's Edgemarc. Bandwidth.com has opened port 5060 to the entire Internet, unrestricted, and forwards anything received on 5060 to the cutomer's PBX, router, gateway, UC500. With this configuration anyone on the Net can point a SIP client to the Edgemarc's public IP and make a phone call. When the SIP messages are forwarded to the router/UC500 they appear to be sourced from the "trusted" Edgemarc IP, but in fact are sourced from anywhere on the Net. Note: Bandwidth.com doesn't use SIP registration, they expect you to "trust" the IP of their servers or gear.
The disturbing points, the Bandwidth techs had a difficult time understanding why this was a risk....even after watching multiple rougue international calls traverse the Edgemarc. Also disturbing, one of these Edgemarcs was locked down at one time because I tested for this vulnerability at the time if install, but now that is no longer the case and Bandwidth techs insisted that port 5060 should be open to the entire Internet!?!?!
Bottom line, if you are connecting to Bandwidth.com using an Edgemarc or any Bandwidth gear at your site, check the security. Better yet, do not trust Bandwidth.com with the security of your network. On a similar, but unrelated note, in one of these cases the end customer also advised me that Bandwidth.com had also left the default passwords on the Edgemarc as well. The passwords have since been changed due to efforts by the end customer.
About Hoover87
Quick Bio
Cisco IP Communications Express Specialist
Cisco Certified Network Professional, CCNP
www.ketchumits.com
http://www.vylaffiliate.com/173.html
Company
IT Consultant
Active forum topics
Recent comments
- Excellent screenshots
1 hour 36 min ago - Excellent screenshots
1 hour 36 min ago - Thanks Ryan, we have just
7 hours 42 min ago - Redial
8 hours 16 min ago - UC520 port forward
17 hours 37 min ago - Mine too
23 hours 21 min ago - Not me
23 hours 23 min ago - CCA
1 day 3 hours ago - CCA
1 day 3 hours ago - CCA...
1 day 6 hours ago
Subscribe to the UC500 Rss Feed
Voice News
- Talk2Cisco: The Business Impact of Borderless Networks
- Calliflower Bundled with Samsung PCs - Why Not?
- Good News, Part 1 - Xconnect Doubles Revenues
- Metaswitch Makes a Smart Move
- Inteligo Financial Services S.A. Uses Cisco Technology for Poland's First Distributed Call Center Infrastructure
- Mobile Broadband Prices In UK Are Dropping
- Virgin Mobile's Lower Data Rates In the USA
- Say Goodbye to FourSquare
- Thomas Howe Shout-Out - CEBP Report Published and Other Vital Updates!
- Whose Behind AT&T FemtoCells??
- Aastra MX-ONE's Canadian Push Continues
- How Bloggers and Analysts use Social Media
Cisco TAC Issues - CME - UE
- No password changing prompt if PIN min length is increased , Open CSCtf28343
- CME Router may crash when UCCX unregisters from CME , Open CSCtf18077
- CME EM login,logout behavior abnormal, requires exit key to press 3 time , CSCsx66104
- re-INVITE dropped when CME with rtp-nte and CUE rtp-nte , Fixed CSCsz73632
- shared-dn ephone unregister affect another ephone BLF subsciption , Fixed CSCtb66305
Comments
Bandwidth.com's SOP for Edgemarc installs
Thanks for pointing out this issue. This circumstance is not indicative of our standard Edgemarc deployment procedure. The default setting for Edgemarcs that Bandwidth.com sends to customers is for the proxy ports 5060 to be locked-down to Bandwidth.com's proxy facilities only (this is a simple check-box in the Edgemarc set-up). In this case, it appears that the Edgemarc may have been "factory defaulted" (since it was locked-down properly in the beginning, as you indicated), which may also explain the default passwords... our standard is not to use the factory defaults for passwords.
We are constantly looking for ways to improve our security processes, so rest assured that we will look further into this situation to see if there are any additional measures we can take to protect the security of our customers and the integrity of our network.Feel free to contact Sean Rivers (srivers at bandwidth.com) if you would like to discuss further. Thanks!
Bandwidth.com
Thank you for the response
Thank you for the response however, a concern is that the engineers on shift thought we were crazy to even suggest that the Edgemarc be locked down to only Bandwidth.com's proxies. Possibly your training plans should be reviewed.
Only one of the compromised sites had default passwords, but in any case it appears that you are reviewing your processes.
Thank you for your efforts.
From outside your network,
From outside your network, take a simple SIP client like xlte, point it to the public IP of the Edgemarc, tell xlite not to register. Then dial a number as if you were on your network, i.e. 9.........., or even internal ext.
Xlite
When you used Xlite to test this, did you enter a username and password to authenticate in the SIP account config? I'm asking because without this information it seems that Xlite will not enable the SIP account.
You can enter the user naem,
You can enter the user naem, password, Auth name......domain should be the Edgmarc IP....uncheck Register with domain. I click the proxy button and enter the Edgemarc IP there too.
click OK and it should do its thing.
This is concerning
Can you elaborate on how you came to realize this? I have two clients currently using Edgemarcs. I just checked and they are both configured to use the default username and password and the web interface is accessible from the internet. I'd like to verify if the Edgemarc is also allowing connections on port 5060 from anyone.
Wow! Thanks for posting this
Wow! Thanks for posting this information. Hopefully Bandwidth.com will respond publically about this.