[Asterisk-Users] Suggestion re: SIP/NAT/*

Stewart Nelson sn at scgroup.com
Fri Oct 29 12:51:03 MST 2004


> On the client side, I'm not sure
> what the risk is to say a SIP phone that has 5060 and some rtp ports
> forwarded to it. Maybe someone can come in and list the threats to
> both ends of a double NAT setup? I'm sure hundreds of us would be very
> interested in this!

Here is a simple example.  A user with a home office has a Cisco
ATA-186 for SIP communication with his company's * PBX.

1.  He puts the ATA in the DMZ, because he isn't sure what he has
    to forward, or he intentionally forwards port 80, so the office
    staff can administer the box.  It has a strong password, so
    he doesn't worry.

2.  His firmware has the Password Disclosure Vulnerability, see
http://www.cisco.com/warp/public/707/ata186-password-disclosure.shtml

3.  Attacker accesses configuration web page on device.

4A. Attacker modifies configuration to send calls through his proxy,
    listens in on calls.  Or,

4B. Attacker downloads new firmware into ATA from his site, installing
    LAN packet sniffer.

In another case, a user has a SIP phone that polls a server for
configuration updates via TFTP, but lacks strong encryption.
Attacker sends forged UDP packets in response to (assumed)
TFTP request, downloads malicious config.

There are lots more.

--Stewart




More information about the asterisk-users mailing list