Send VoiceOps mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://puck.nether.net/mailman/listinfo/voiceops
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of VoiceOps digest..."
Today's Topics:
1. Re: NOTICE: To all providers using the Grandstream
HT502/HT503 (Ryan Delgrosso)
2. Re: NOTICE: To all providers using the Grandstream
HT502/HT503 (Erik Flournoy)
3. Re: SIP-to-TDM gateway appliance (Nathan Anderson)
4. Re: SIP-to-TDM gateway appliance (David Wessell)
----------------------------------------------------------------------
Message: 1
Date: Wed, 06 Feb 2013 14:34:57 -0800
From: Ryan Delgrosso <[email protected]>
To: Erik Flournoy <[email protected]>
Cc: "[email protected]" <[email protected]>
Subject: Re: [VoiceOps] NOTICE: To all providers using the Grandstream
HT502/HT503
Message-ID: <[email protected]>
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
Plausible since I see a firmware release for the same and based on my
experience they largely share the same codebase.
On 02/06/2013 02:29 PM, Erik Flournoy wrote:
> Hey do you know if that affcts the GXW as well?
>
>
> Erik Flournoy
> 808-426-4527
> 301-218-7325
>
> CONFIDENTIALITY NOTICE
> This e-mail message, including any attachments from EESPRO.com -
> contain information which is CONFIDENTIAL AND/OR LEGALLY PRIVILEGED.
> The information is intended only for the use of the individual named
> above and may not be disseminated to any other party without written
> permission. If you are not the intended recipient, or the employee or
> agent responsible for delivering the message to the intended
> recipient, you are hereby notified that any dissemination, disclosure,
> distribution, copying or taking of any action in reliance on the
> contents of this e-mailed information is strictly prohibited. If you
> have received this transmission in error, please immediately notify
> [email protected] <mailto:[email protected]>, and permanently delete this
> e-mail and the attachments hereto, if any, and destroy any printout
> thereof.
>
>
> On Wed, Feb 6, 2013 at 12:15 PM, Ryan Delgrosso
> <[email protected] <mailto:[email protected]>> wrote:
>
> All,
> Over the last few months we have uncovered a vulnerability in the
> HT502 that allows for theft of credentials from customer devices.
> I am sending this out since the issue has now been resolved in a
> new release of firmware BUT Grandstream have NOT sent out any kind
> of pro-active notifications nor included this fix in their release
> notes for this build. After conferring with some other sizable
> providers also using this device at scale, they were able to
> "connect the dots" on their up-tick in fraud based on our discovery.
>
>
> First some history:
>
> We currently have over 50,000 deployed HT502's in active customer
> service.
>
> Beginning in December we saw an immediate and sizable up-tick in
> fraud by easily an order of magnitude.
>
> Statistical analysis of the fraud showed the ONLY linking factor
> to be the fact that the compromised accounts were ALL using the
> HT502 device AND had WAN port access enabled to the device, and we
> as the provider were locked out (admin password changed, no longer
> provisioning from us on scheduled interval)
>
> After some digging and conferring with Grandstream technical gurus
> it was confirmed there was a buffer overflow vulnerability that
> would allow a remote attacker to change the admin password WITHOUT
> rebooting the device or otherwise having any administrative access
> to it. Once the password was changed the attacker could log in
> with the new password and complete control. On all versions prior
> to 1.0.5.10 the SIP credentials could be extracted from the admin
> website with the "Download config" option. On versions up to
> 1.0.8.4 the sip credentials were STILL extractable from the telnet
> interface if the provisioning values were known by the attacker.
>
> All of these vulnerabilities are fixed in version 1.0.9.1. I
> encourage you to test and deploy this version ASAP.
>
>
> I am sending this out in a purely advisory capacity in the hopes
> that education will prevent further monetary damages. Please feel
> free to contact me on or off list if you want to know more about
> this issue.
>
> -Ryan
> _______________________________________________
> VoiceOps mailing list
> [email protected] <mailto:[email protected]>
> https://puck.nether.net/mailman/listinfo/voiceops
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://puck.nether.net/pipermail/voiceops/attachments/20130206/558e677d/attachment-0001.html>
------------------------------
Message: 2
Date: Wed, 6 Feb 2013 12:29:54 -1000
From: Erik Flournoy <[email protected]>
To: [email protected]
Cc: "[email protected]" <[email protected]>
Subject: Re: [VoiceOps] NOTICE: To all providers using the Grandstream
HT502/HT503
Message-ID:
<caduv08zavssqgus15unqdzkzc6zf74p1rhg70ep+6stcvx5...@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hey do you know if that affcts the GXW as well?
Erik Flournoy
808-426-4527
301-218-7325
CONFIDENTIALITY NOTICE
This e-mail message, including any attachments from EESPRO.com - contain
information which is CONFIDENTIAL AND/OR LEGALLY PRIVILEGED. The
information is intended only for the use of the individual named above and
may not be disseminated to any other party without written permission. If
you are not the intended recipient, or the employee or agent responsible
for delivering the message to the intended recipient, you are hereby
notified that any dissemination, disclosure, distribution, copying or
taking of any action in reliance on the contents of this e-mailed
information is strictly prohibited. If you have received this transmission
in error, please immediately notify [email protected], and permanently delete
this e-mail and the attachments hereto, if any, and destroy any printout
thereof.
On Wed, Feb 6, 2013 at 12:15 PM, Ryan Delgrosso <[email protected]>wrote:
> All,
> Over the last few months we have uncovered a vulnerability in the HT502
> that allows for theft of credentials from customer devices. I am sending
> this out since the issue has now been resolved in a new release of firmware
> BUT Grandstream have NOT sent out any kind of pro-active notifications nor
> included this fix in their release notes for this build. After conferring
> with some other sizable providers also using this device at scale, they
> were able to "connect the dots" on their up-tick in fraud based on our
> discovery.
>
>
> First some history:
>
> We currently have over 50,000 deployed HT502's in active customer service.
>
> Beginning in December we saw an immediate and sizable up-tick in fraud by
> easily an order of magnitude.
>
> Statistical analysis of the fraud showed the ONLY linking factor to be the
> fact that the compromised accounts were ALL using the HT502 device AND had
> WAN port access enabled to the device, and we as the provider were locked
> out (admin password changed, no longer provisioning from us on scheduled
> interval)
>
> After some digging and conferring with Grandstream technical gurus it was
> confirmed there was a buffer overflow vulnerability that would allow a
> remote attacker to change the admin password WITHOUT rebooting the device
> or otherwise having any administrative access to it. Once the password was
> changed the attacker could log in with the new password and complete
> control. On all versions prior to 1.0.5.10 the SIP credentials could be
> extracted from the admin website with the "Download config" option. On
> versions up to 1.0.8.4 the sip credentials were STILL extractable from the
> telnet interface if the provisioning values were known by the attacker.
>
> All of these vulnerabilities are fixed in version 1.0.9.1. I encourage you
> to test and deploy this version ASAP.
>
>
> I am sending this out in a purely advisory capacity in the hopes that
> education will prevent further monetary damages. Please feel free to
> contact me on or off list if you want to know more about this issue.
>
> -Ryan
> ______________________________**_________________
> VoiceOps mailing list
> [email protected]
> https://puck.nether.net/**mailman/listinfo/voiceops<https://puck.nether.net/mailman/listinfo/voiceops>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://puck.nether.net/pipermail/voiceops/attachments/20130206/cf6846dd/attachment-0001.html>
------------------------------
Message: 3
Date: Wed, 6 Feb 2013 14:42:11 -0800
From: Nathan Anderson <[email protected]>
To: "'[email protected]'" <[email protected]>
Subject: Re: [VoiceOps] SIP-to-TDM gateway appliance
Message-ID:
<[email protected]>
Content-Type: text/plain; charset="us-ascii"
(remember to "Reply All"! :-))
Holy crap. I don't know how I missed the pricing for AdTran Total Access. I
guess after I saw what AudioCodes and MediaTrix and Sangoma go for on average,
I must have made an assumption about AdTran pricing. That totally blows
Digium's seemingly-aggressive pricing out of the water, especially if it covers
all of my use-cases (which I already know the Digium doesn't).
-- Nathan
-----Original Message-----
From: David Wessell [mailto:[email protected]]
Sent: Wednesday, February 06, 2013 2:15 PM
To: Nathan Anderson
Subject: Re: [VoiceOps] SIP-to-TDM gateway appliance
Seconded. This is a killer topic. We've just closed our first deal for this
type of situation. I had planned on going with a Adtran 904 ($725 on NewEgg)
but am very interested to hear other options.
Thanks
David
David Wessell
Chief Packet Slinger
Ringfree Communications, LLC
t: 828-575-0030
e:[email protected] <mailto:[email protected]>
w: ringfree.biz
On Feb 6, 2013, at 5:04 PM, Nathan Anderson <[email protected]>
wrote:
I know this has been a topic of conversation in the past, but things
might have changed since the last discussion and I'm wondering what the market
is currently like for such devices.
We deliver voice strictly via SIP/RTP, but naturally there are some
potential customers out there that still have an older, non-IP-aware PBX that
they're not ready to throw out yet. What are the best and most cost-effective
gateway options out there at this time? We are specifically looking for one
that has a single T1 interface that can operate in either CAS or PRI modes.
Special requirements:
1) We need to be able to do DID manipulation between T1 and SIP; I
presume this is a rather standard feature in most gateways given that most SIP
trunk providers will send at least 10-digit DNIS (in the INVITE and "To"
fields) but DNIS on PRI is often only the last 3 or 4 digits of the TN.
2) There may be certain situation where we want to leave the PBX
configuration as untouched/unchanged as possible (drop-in replacement service),
and where there is no correllation between target DID and the telephone number
(e.g., 212-555-1212 is called, PBX is sent 4001). We'd like a gateway where
static mappings like that for DID manipulation are possible, rather than just a
general rule that says "strip the first 6 digits off before sending to the PRI".
3) For outgoing calls, the device needs to put the calling DID (the
desired Caller-ID/ANI) in the PAI header, and also needs to be able to be
configured to override "From" with a static alphanumeric value (so "From" and
PAI should not match; "From" will not contain the desired ANI).
4) In T1 CAS singalling modes such as E&M Wink where it is possible to
transmit CLID and target DID information via DTMF to the PBX, different PBXes
potentially have different formats that they want to see this information in;
for example, a Nortel Norstar would expect to see *CALLERID*DNIS* (e.g.,
*2125550001*1212* where the caller is 212-555-0001 and the destination is
212-555-1212). Are there any gateways that support this?
5) It needs to have a T.38 gateway mode that can recognize a fax call,
either send or accept a re-INVITE with a T.38 SDP as appropriate, and perform
the "transcoding" from/to T.38 between the T1 channel and the RTP session.
Just resorting to G.711 for fax passthrough is not desireable...any gateway can
do that.
6) If in T1 CAS mode, and the PBX takes a channel "off-hook" to place
an outbound call, the gateway should generate an audible dialtone.
...and, of course, it would be nice if we could find such a device <
$1,000. :-P
I know I could build one myself with a mini PC and a single-span T1
card that was running Asterisk 10 and easily hit that price point, but I'd
rather find a supported, off-the-shelf solution to sell to our customers, if
possible.
There are the "usual suspects", of course: AdTran, MediaTrix,
AudioCodes, and so forth. AdTran seems to get talked about a lot here. Let's
say price was no object for a second. Does anyone know if there is a model
amongst any of the ones these manufacturers produce that fulfills the above
list of requirements?
Does anybody have any experience with Digium's relatively new line of
gateways (G100/G200)? I think it would support some of these scenarios (#1 and
#3) but I'm not sure about the remaining ones. Unfortunately, although it most
certainly runs on an Asterisk core, that core is only exposed to you through a
clever but still-limited GUI; with direct access to the dialing plan
(extensions.conf) I could accomplish all of these things myself. The price is
certainly right, though.
If only somebody made a reasonably-priced single-board-computer that
ran raw, embedded Asterisk and had a single-span T1 interface on it. Oh wait,
somebody does!:
http://switchvoice.com/index.php?page=shop.product_details&flypage=flypage-ask.tpl&product_id=9&category_id=2&option=com_virtuemart&Itemid=30
http://www.odints.com/pages/prod/completesolutions/alvis-pbx/alvisfs.htm
Only problem is that the first company doesn't have a U.S. distributor,
and the second doesn't have a distributor that sells in single-unit quantities.
Would love to hear y'all's thoughts on this subject.
Thanks,
--
Nathan Anderson
First Step Internet, LLC
[email protected]
_______________________________________________
VoiceOps mailing list
[email protected]
https://puck.nether.net/mailman/listinfo/voiceops
------------------------------
Message: 4
Date: Wed, 6 Feb 2013 22:43:16 +0000
From: David Wessell <[email protected]>
To: Nathan Anderson <[email protected]>
Cc: "[email protected]" <[email protected]>
Subject: Re: [VoiceOps] SIP-to-TDM gateway appliance
Message-ID: <[email protected]>
Content-Type: text/plain; charset="us-ascii"
Also Netxusa (Our main wholesale supplier) has a similar price. I'd always
suggest buying from them over Newegg due to the support. (I'm a huge fan of
Netxusa).
dw
David Wessell
Chief Packet Slinger
Ringfree Communications, LLC
t: 828-575-0030
e:[email protected]<mailto:[email protected]>
w: ringfree.biz
On Feb 6, 2013, at 5:42 PM, Nathan Anderson
<[email protected]<mailto:[email protected]>>
wrote:
(remember to "Reply All"! :-))
Holy crap. I don't know how I missed the pricing for AdTran Total Access. I
guess after I saw what AudioCodes and MediaTrix and Sangoma go for on average,
I must have made an assumption about AdTran pricing. That totally blows
Digium's seemingly-aggressive pricing out of the water, especially if it covers
all of my use-cases (which I already know the Digium doesn't).
-- Nathan
-----Original Message-----
From: David Wessell [mailto:[email protected]]
Sent: Wednesday, February 06, 2013 2:15 PM
To: Nathan Anderson
Subject: Re: [VoiceOps] SIP-to-TDM gateway appliance
Seconded. This is a killer topic. We've just closed our first deal for this
type of situation. I had planned on going with a Adtran 904 ($725 on NewEgg)
but am very interested to hear other options.
Thanks
David
David Wessell
Chief Packet Slinger
Ringfree Communications, LLC
t: 828-575-0030
e:[email protected] <mailto:[email protected]>
w: ringfree.biz
On Feb 6, 2013, at 5:04 PM, Nathan Anderson
<[email protected]<mailto:[email protected]>>
wrote:
I know this has been a topic of conversation in the past, but things might have
changed since the last discussion and I'm wondering what the market is
currently like for such devices.
We deliver voice strictly via SIP/RTP, but naturally there are some potential
customers out there that still have an older, non-IP-aware PBX that they're not
ready to throw out yet. What are the best and most cost-effective gateway
options out there at this time? We are specifically looking for one that has a
single T1 interface that can operate in either CAS or PRI modes.
Special requirements:
1) We need to be able to do DID manipulation between T1 and SIP; I presume this
is a rather standard feature in most gateways given that most SIP trunk
providers will send at least 10-digit DNIS (in the INVITE and "To" fields) but
DNIS on PRI is often only the last 3 or 4 digits of the TN.
2) There may be certain situation where we want to leave the PBX configuration
as untouched/unchanged as possible (drop-in replacement service), and where
there is no correllation between target DID and the telephone number (e.g.,
212-555-1212 is called, PBX is sent 4001). We'd like a gateway where static
mappings like that for DID manipulation are possible, rather than just a
general rule that says "strip the first 6 digits off before sending to the PRI".
3) For outgoing calls, the device needs to put the calling DID (the desired
Caller-ID/ANI) in the PAI header, and also needs to be able to be configured to
override "From" with a static alphanumeric value (so "From" and PAI should not
match; "From" will not contain the desired ANI).
4) In T1 CAS singalling modes such as E&M Wink where it is possible to transmit
CLID and target DID information via DTMF to the PBX, different PBXes
potentially have different formats that they want to see this information in;
for example, a Nortel Norstar would expect to see *CALLERID*DNIS* (e.g.,
*2125550001*1212* where the caller is 212-555-0001 and the destination is
212-555-1212). Are there any gateways that support this?
5) It needs to have a T.38 gateway mode that can recognize a fax call, either
send or accept a re-INVITE with a T.38 SDP as appropriate, and perform the
"transcoding" from/to T.38 between the T1 channel and the RTP session. Just
resorting to G.711 for fax passthrough is not desireable...any gateway can do
that.
6) If in T1 CAS mode, and the PBX takes a channel "off-hook" to place an
outbound call, the gateway should generate an audible dialtone.
...and, of course, it would be nice if we could find such a device < $1,000. :-P
I know I could build one myself with a mini PC and a single-span T1 card that
was running Asterisk 10 and easily hit that price point, but I'd rather find a
supported, off-the-shelf solution to sell to our customers, if possible.
There are the "usual suspects", of course: AdTran, MediaTrix, AudioCodes, and
so forth. AdTran seems to get talked about a lot here. Let's say price was no
object for a second. Does anyone know if there is a model amongst any of the
ones these manufacturers produce that fulfills the above list of requirements?
Does anybody have any experience with Digium's relatively new line of gateways
(G100/G200)? I think it would support some of these scenarios (#1 and #3) but
I'm not sure about the remaining ones. Unfortunately, although it most
certainly runs on an Asterisk core, that core is only exposed to you through a
clever but still-limited GUI; with direct access to the dialing plan
(extensions.conf) I could accomplish all of these things myself. The price is
certainly right, though.
If only somebody made a reasonably-priced single-board-computer that ran raw,
embedded Asterisk and had a single-span T1 interface on it. Oh wait, somebody
does!:
http://switchvoice.com/index.php?page=shop.product_details&flypage=flypage-ask.tpl&product_id=9&category_id=2&option=com_virtuemart&Itemid=30
http://www.odints.com/pages/prod/completesolutions/alvis-pbx/alvisfs.htm
Only problem is that the first company doesn't have a U.S. distributor, and the
second doesn't have a distributor that sells in single-unit quantities.
Would love to hear y'all's thoughts on this subject.
Thanks,
--
Nathan Anderson
First Step Internet, LLC
[email protected]
_______________________________________________
VoiceOps mailing list
[email protected]
https://puck.nether.net/mailman/listinfo/voiceops
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://puck.nether.net/pipermail/voiceops/attachments/20130206/9afa87bc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pastedGraphic.pdf
Type: application/pdf
Size: 9061 bytes
Desc: pastedGraphic.pdf
URL:
<https://puck.nether.net/pipermail/voiceops/attachments/20130206/9afa87bc/attachment.pdf>
------------------------------
_______________________________________________
VoiceOps mailing list
[email protected]
https://puck.nether.net/mailman/listinfo/voiceops
End of VoiceOps Digest, Vol 44, Issue 6
***************************************
