DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

sipvicious exploits port 5060 on 2820Vn with latest firmware

  • 414nsw
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
05 May 2011 10:34 #67595 by 414nsw
OK, my VoIP PBX service provider has shut down my account due to some malicious activity.

It turns out that port 5060, even though most port scanners report as being closed is actually still vulnerable as demonstrated by sipvicious.

I was on Firmware 3.3.4.1 and noticed a new version that apparently fixes this problem in version 3.3.5.2.
I upgraded to 3.3.5.2 but sorry to say that sipviscious is still reporting this port as exploitable.

My SIP PBX service provider is still blocking all outgoing traffic due to this security breach as remote hackers are making calls for FREE using it, at our expense.
This is a SERIOUS SECURITY flaw - can somebody advise a fix ASAP.

Please be warned!!

Please Log in or Create an account to join the conversation.

More
05 May 2011 10:41 #67597 by admin
What exactly is the alleged exploit? Is this actually a risk? How does it work? Do you have a specific description? A port can't be closed or mute if it's required to operate a service.

can somebody advise a fix ASAP.



Report it to DrayTek directly!



Forum Administrator

Please Log in or Create an account to join the conversation.

  • 414nsw
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
05 May 2011 11:04 #67599 by 414nsw
Its been reported.

Even though port 5060 (used for SIP) is neither port forwarded or open on the router its showing up as available when using malicious SIP attack tools like sipvicious.

Sipvicious gives the following information when probing the system - the system should return NO information what so ever when probing these ports.

| SIP Device | User Agent | Fingerprint |


| xx.xxx.xxx.xxx:5060 | unknown | disabled |

My IP address was masked above. Basically it gives hackers the opportunity to exploit your SIP account and make calls through your SIP service for FREE and at your expense.

My SIP service provider has disabled my account for outgoing traffic as this poses a security threat. Until its fixed I cannot make any outgoing calls!!!

This was apparently fixed in the latest firmware, but this does not appear to be the case.

This was the reported fix I saw that I assumed would would have resolved the problem:

2. Add protection for SIP parser to prevent malicious UDP 5060 port attack

If port 5060 is acknowledging probes to sipvicious (which it should not) then what other hidden weaknesses does the system have ???

Please Log in or Create an account to join the conversation.

More
05 May 2011 13:14 #67601 by admin

414NSW wrote:
| xx.xxx.xxx.xxx:5060 | unknown | disabled |

... it gives hackers the opportunity to exploit your SIP account and make calls through your SIP service for FREE and at your expense.



HOW? Another site, which has been around for years (ShieldsUP!) was criticised by all sorts of people by implying that an open port was by its nature 'vulnerable' which was scaremongering. Sometimes/most often, it's the equivalent of your house doorbell. Just because someone can see a doorbell, and ring it, doesn't make your house insecure, unless you don't lock the door, or you open it without asking who's there.

The Vigor2820Vn does not provide any SIP proxy/registrar/realy facility (it's not a SIP server) so how can responding to a scan with generic/plan info be used to make calls at your expense ?



Forum Administrator

Please Log in or Create an account to join the conversation.

  • 414nsw
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
05 May 2011 13:52 #67602 by 414nsw
This port is not OPEN nor is it PORT FORWARDED so why is it responding to a scan at all ???

It exposes a vulnerability in itself that gives hackers the potential to dig further.

When I'm behind closed doors I don't want people seeing in at all as I may as well have just left the door open in the first place.

Please Log in or Create an account to join the conversation.

More
05 May 2011 14:11 #67603 by admin

414NSW wrote: It exposes a vulnerability in itself that gives hackers the potential to dig further.



That's not a 'vulnerability' ! It's only a vulnerability if there's something to exploit. It seems very strange that your ISP/ITSP would block your account just because you have equipment which supports SIP visible on the internet - any IP PBX would have to do that for remote extensions to work, so do they block those too.

I don't want people seeing in at all as I may as well have just left the door open in the first place.



What door? Like I said, the V2820Vn doesn't have a proxy/server facility - you can't make calls on it, locally or remotely other than by lifiting the analogue handset. It's a doorbell, not an open door!



Forum Administrator

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami