DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
sipvicious exploits port 5060 on 2820Vn with latest firmware
- 414nsw
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 10
- Thank you received: 0
05 May 2011 10:34 #67595
by 414nsw
sipvicious exploits port 5060 on 2820Vn with latest firmware was created by 414nsw
OK, my VoIP PBX service provider has shut down my account due to some malicious activity.
It turns out that port 5060, even though most port scanners report as being closed is actually still vulnerable as demonstrated by sipvicious.
I was on Firmware 3.3.4.1 and noticed a new version that apparently fixes this problem in version 3.3.5.2.
I upgraded to 3.3.5.2 but sorry to say that sipviscious is still reporting this port as exploitable.
My SIP PBX service provider is still blocking all outgoing traffic due to this security breach as remote hackers are making calls for FREE using it, at our expense.
This is a SERIOUS SECURITY flaw - can somebody advise a fix ASAP.
Please be warned!!
It turns out that port 5060, even though most port scanners report as being closed is actually still vulnerable as demonstrated by sipvicious.
I was on Firmware 3.3.4.1 and noticed a new version that apparently fixes this problem in version 3.3.5.2.
I upgraded to 3.3.5.2 but sorry to say that sipviscious is still reporting this port as exploitable.
My SIP PBX service provider is still blocking all outgoing traffic due to this security breach as remote hackers are making calls for FREE using it, at our expense.
This is a SERIOUS SECURITY flaw - can somebody advise a fix ASAP.
Please be warned!!
Please Log in or Create an account to join the conversation.
- admin
- Offline
- Site Admin
Less
More
- Posts: 1723
- Thank you received: 0
05 May 2011 10:41 #67597
by admin
Forum Administrator
Replied by admin on topic Re: sipvicious exploits port 5060 on 2820Vn with latest firm
What exactly is the alleged exploit? Is this actually a risk? How does it work? Do you have a specific description? A port can't be closed or mute if it's required to operate a service.
Report it to DrayTek directly!
can somebody advise a fix ASAP.
Report it to DrayTek directly!
Forum Administrator
Please Log in or Create an account to join the conversation.
- 414nsw
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 10
- Thank you received: 0
05 May 2011 11:04 #67599
by 414nsw
Replied by 414nsw on topic Re: sipvicious exploits port 5060 on 2820Vn with latest firm
Its been reported.
Even though port 5060 (used for SIP) is neither port forwarded or open on the router its showing up as available when using malicious SIP attack tools like sipvicious.
Sipvicious gives the following information when probing the system - the system should return NO information what so ever when probing these ports.
| SIP Device | User Agent | Fingerprint |
| xx.xxx.xxx.xxx:5060 | unknown | disabled |
My IP address was masked above. Basically it gives hackers the opportunity to exploit your SIP account and make calls through your SIP service for FREE and at your expense.
My SIP service provider has disabled my account for outgoing traffic as this poses a security threat. Until its fixed I cannot make any outgoing calls!!!
This was apparently fixed in the latest firmware, but this does not appear to be the case.
This was the reported fix I saw that I assumed would would have resolved the problem:
2. Add protection for SIP parser to prevent malicious UDP 5060 port attack
If port 5060 is acknowledging probes to sipvicious (which it should not) then what other hidden weaknesses does the system have ???
Even though port 5060 (used for SIP) is neither port forwarded or open on the router its showing up as available when using malicious SIP attack tools like sipvicious.
Sipvicious gives the following information when probing the system - the system should return NO information what so ever when probing these ports.
| SIP Device | User Agent | Fingerprint |
| xx.xxx.xxx.xxx:5060 | unknown | disabled |
My IP address was masked above. Basically it gives hackers the opportunity to exploit your SIP account and make calls through your SIP service for FREE and at your expense.
My SIP service provider has disabled my account for outgoing traffic as this poses a security threat. Until its fixed I cannot make any outgoing calls!!!
This was apparently fixed in the latest firmware, but this does not appear to be the case.
This was the reported fix I saw that I assumed would would have resolved the problem:
2. Add protection for SIP parser to prevent malicious UDP 5060 port attack
If port 5060 is acknowledging probes to sipvicious (which it should not) then what other hidden weaknesses does the system have ???
Please Log in or Create an account to join the conversation.
- admin
- Offline
- Site Admin
Less
More
- Posts: 1723
- Thank you received: 0
05 May 2011 13:14 #67601
by admin
HOW? Another site, which has been around for years (ShieldsUP!) was criticised by all sorts of people by implying that an open port was by its nature 'vulnerable' which was scaremongering. Sometimes/most often, it's the equivalent of your house doorbell. Just because someone can see a doorbell, and ring it, doesn't make your house insecure, unless you don't lock the door, or you open it without asking who's there.
The Vigor2820Vn does not provide any SIP proxy/registrar/realy facility (it's not a SIP server) so how can responding to a scan with generic/plan info be used to make calls at your expense ?
Forum Administrator
Replied by admin on topic Re: sipvicious exploits port 5060 on 2820Vn with latest firm
414NSW wrote:
| xx.xxx.xxx.xxx:5060 | unknown | disabled |
... it gives hackers the opportunity to exploit your SIP account and make calls through your SIP service for FREE and at your expense.
HOW? Another site, which has been around for years (ShieldsUP!) was criticised by all sorts of people by implying that an open port was by its nature 'vulnerable' which was scaremongering. Sometimes/most often, it's the equivalent of your house doorbell. Just because someone can see a doorbell, and ring it, doesn't make your house insecure, unless you don't lock the door, or you open it without asking who's there.
The Vigor2820Vn does not provide any SIP proxy/registrar/realy facility (it's not a SIP server) so how can responding to a scan with generic/plan info be used to make calls at your expense ?
Forum Administrator
Please Log in or Create an account to join the conversation.
- 414nsw
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 10
- Thank you received: 0
05 May 2011 13:52 #67602
by 414nsw
Replied by 414nsw on topic Re: sipvicious exploits port 5060 on 2820Vn with latest firm
This port is not OPEN nor is it PORT FORWARDED so why is it responding to a scan at all ???
It exposes a vulnerability in itself that gives hackers the potential to dig further.
When I'm behind closed doors I don't want people seeing in at all as I may as well have just left the door open in the first place.
It exposes a vulnerability in itself that gives hackers the potential to dig further.
When I'm behind closed doors I don't want people seeing in at all as I may as well have just left the door open in the first place.
Please Log in or Create an account to join the conversation.
- admin
- Offline
- Site Admin
Less
More
- Posts: 1723
- Thank you received: 0
05 May 2011 14:11 #67603
by admin
That's not a 'vulnerability' ! It's only a vulnerability if there's something to exploit. It seems very strange that your ISP/ITSP would block your account just because you have equipment which supports SIP visible on the internet - any IP PBX would have to do that for remote extensions to work, so do they block those too.
What door? Like I said, the V2820Vn doesn't have a proxy/server facility - you can't make calls on it, locally or remotely other than by lifiting the analogue handset. It's a doorbell, not an open door!
Forum Administrator
Replied by admin on topic Re: sipvicious exploits port 5060 on 2820Vn with latest firm
It exposes a vulnerability in itself that gives hackers the potential to dig further.414NSW wrote:
That's not a 'vulnerability' ! It's only a vulnerability if there's something to exploit. It seems very strange that your ISP/ITSP would block your account just because you have equipment which supports SIP visible on the internet - any IP PBX would have to do that for remote extensions to work, so do they block those too.
I don't want people seeing in at all as I may as well have just left the door open in the first place.
What door? Like I said, the V2820Vn doesn't have a proxy/server facility - you can't make calls on it, locally or remotely other than by lifiting the analogue handset. It's a doorbell, not an open door!
Forum Administrator
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek