I just found a major security issue with 2 systems using Bandwidth.com. The end users are unrelated. The issue is with Bandwidth's Edgemarc. Bandwidth.com has opened port 5060 to the entire Internet, unrestricted, and forwards anything received on 5060 to the cutomer's PBX, router, gateway, UC500. With this configuration anyone on the Net can point a SIP client to the Edgemarc's public IP and make a phone call. When the SIP messages are forwarded to the router/gateway they appear to be sourced from the "trusted" Edgemarc IP, but in fact are sourced from anywhere on the Net. Note: Bandwidth.com doesn't use SIP registration, they expect you to "trust" the IP of their servers or gear. The disturbing points, the Bandwidth techs had a difficult time understanding why this was a risk....even after watching multiple rougue international calls traverse the Edgemarc. Also disturbing, one of these Edgemarcs was locked down at one time because I tested for this vulnerability at the time if install, but now that is no longer the case and Bandwidth techs insisted that port 5060 should be open to the entire Internet!?!?! Bottom line, if you are connecting to Bandwidth.com using an Edgemarc or any Bandwidth gear at your site, check the security. Better yet, do not trust Bandwidth.com with the security of your network. On a similar, but unrelated note, in one of these cases the end customer also advised me that Bandwidth.com had also left the default passwords on the Edgemarc as well. The passwords have since been changed due to efforts by the end customer. _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/
