UCM6202 hacked. Is there an unknown backdoor?


#16

This may be true, but the office is not frequented by the general public and seems secure enough, but I will take your suggestion on board.


#17

That is the ultimate goal, but I am having trouble achieving that with the current network hardware.
I may have to discuss the purchase and installation of firewall hardware with the client. Their current modem router is too basic to provide full protection and lock down.
No other devices are on this network, as it is just for the VoIP equipment. PC’s are on a different network with their own modem router.
Thank you for your input.


#18

Well, I may have had the same issue.

I am in Texas, the client is in Alabama. I sent the client’s IT company the directions about what I wanted with the firewall which was to shut down all SIP traffic and then only open port 8089 (web) to my IP.

I get a UCM email about a login from admin being successful. I have not given the password to anyone. I check the IP in the email and it too is from Palestine -

The firmware running in the unit was 20.19 or 20.20.

I got into the unit, and examined the logs -

  1. Email log does not show email being sent.
  2. Event log does not show any successful login, but mine.
  3. CDR shows no unusual activities
  4. Export of extensions shows no new emails or call forwarding activity.

There is no evidence of the entry or alteration of the system, but, I had received a couple of emails earlier in the day about the memory threshold being exceeded. But, shortly thereafter I got another one that the UCM had recovered the space and it was back to normal -

The email log does reflect emails being sent at the time of the memory issue, but nothing after that until I logged in once I got the email about the successful login from Palestine. The previous email was from 3/11, when I was setting up the system. If you look at the memory email and then the login email, they were 6.5 hours apart.

So, as I was in the system, I immediately changed the username and password and rebooted. Upon the system coming up I updated the firmware to the 10.23.

The system was on analog only, but while I don’t think anything happened, the fact that the logs & CDR show nothing, it does make me wonder what else they don;t show.

Of course, I wondered about how and why. I then logged into a client system and tried to see if I could get to the Web Gui…and yes I could. There will be a discussion coming with the client’s IT company as they assured me they had set the firewall up correctly.

Nevertheless, it does make me concerned that logging was averted to the extent that I can’t help but wonder if something else is lurking that the security fix does not address.


#19

Very interesting, Larry.
I’ve had no further attacks (yet) since I upgraded the firmware to 1.0.20.22 (latest general release), and strengthened the admin password. Also changed the superadmin username from ‘admin’ to something else, and changed the HTTPS port from 8089 to another port number.
If there is a backdoor into the UCM, nobody is going to talk about it here in an open forum.


#20

The latest is 10.23; another release today for security. I am currently updating the client base.


#21

Yes, I’ve just seen that 1.0.20.23 has gone from Beta to general release.
Thanks for the tip.


#22

absolutely WRONG, the rules of NAT must be done OBLIGATORILY on the Firewall and ACL, the attacker must NOT arrive at the UCM, otherwise you will always have only problems.
My advice, then do as you think.


#23

This is very worrying indeed , because this issue was addressed with the last firmware on the UMC 6102 1.0.18.17 and now another update 1.0.18.18.

I had a system with the user ja3ck that logged in on a version before 18.17.

Using firewall rules should not be the main way to protect the UMC it should only be there has an additional layer of security. The fact that someone somewhere knows how to exploit the system is very worrying .

I hope someone form GS can respond it should not that we have to rely on firewall rules to protect the system the web server should be adequately protected. after all if this was a DDOS attack then yes you could say the firewall rules .

But to log in with admin and I am sure with you be such an experienced user there no way the password could be guessed.

The private Key of the UCM has obviously been compromised. Once the attacker gets the return value from the table he then decrypts it using the key. The multiple attempts is not coming from guessing the username and password but by trying various sql injection strings to get a return value. Surly the value is not stored in plain text so to use the returned value the private key must be know. If this is indeed how this is happening then you can change the username to anything you like it with not make a difference if the person doing the attack knows the string to use to get back the value he needs and he has the private key. " I am thinking out a loud here since it is one thing for us to fix by upgrading but we also need to try to understand why this happens if we did not do something correctly or if it was out of our control."

now to update so many systems such a headache when i just brought most of them to 18.17 very frustrated…


#24

as I’ve said repeatedly, the offender must not arrive at the UCM.
Therefore it is mandatory to create the firewall rules in ACL.
At this point only authorized IPs (Provider, support, etc.) arrive at UCM.
I have never suffered attacks with this system to date.
Then also the “White House” suffers attacks, so a 100% secure system does not exist.
Obviously if as 95% of the people I read on the forum who do not use the rules in ACL, it is a wrong starting point.
A Bank for example does not put the protection only to the “Caveau” but it blinds the external doors, puts anti-theft devices etc… you have to make sure that the attacker does NOT get to the “vault”.
In my example the “vault” is UCM.
Activate on the Firewall the rules in ACL … ALWAYS
That UCM on board has a firewall, fail2ban etc… is a “plus”, remember that UCM is a VoIP Server, not a defense tool.
Every camera does its duty, the camera must do well the photos, a mobile phone must do correctly the phone calls, as long as you blame a mobile phone for “bad” photos we are on the wrong road.
I’m writing it practically every day, maybe I may be hated, but it doesn’t matter, the purpose is to say my opinion, the main purpose of any forum is this.
Then if we want to talk about the shortcomings of the UCM let’s talk about it, but the important thing is to properly manage the external firewall.
Then let me make a note, a lot of people here don’t speak well about Grandstream from a security point of view, continuous failures, continuous updates, continuous problems.
Raise your hand if you know only one competitor product free from these problems.
Just to name a few names, I’ve seen problems on Yeastar, Panasonic, all Asterisk-based systems, etc…
It’s a continuous chase after the problem, the Producer creates the patches, the malicious creator creates the way to defraud, so endlessly.
Guys, don’t let the attacker get to the UCM, you’ll have solved at least 90% of the problem.

Bye-bye


#25

We’ve had a similar issue in one of our clients with a quite old firmware.
Ip’s were from Morocco, Israel, Palestine & Iraq


#26

you can read dozens of posts about this problem, first you have to update the UCM FW, then you have to put the rules in ACL on the Firewall if you want to solve the problem


#27

In essence, the inbuilt firewall protection of the UCM is like a sieve.
If proper protection is to be provided, an external firewall is needed to keep nasties away from the sieve.
In other words, a condom needs to be placed over the sieve to stop leakage.
Capiche?

I have not had similar issues with my many Yeastar S-series PBX customers. Perhaps their sieves are more ‘water tight’.


#28

Absolutely not, Yeastar has the same problems as everyone else on Asterisk.
Then I repeat UCM, as well as Yeastar etc. are VoIP servers and not firewalls.
Would you put a dish to cook in a washing machine?


#29

Alan, We really need to talk more often… I could save you endless technical hurt…you could have even asked Craig from Aristel to talk to me…

MYPBX - are an Asterisk based PBX like that of the UCM in any variant.

The TELEPHONE SYSTEM is not a firewall… Draytek/Mikrotik/Watchguard/Sonicwall/EdgeRouter/PFSense are,.

Kev


#30

Thank you for all the feedback. Yes, we can all take the advice for implementing external firewall measures.
It is a pity that Grandstream et al do not advise this in their IP-PBX training.
The same advice was not given on Yeastar MyPBX or S-series training - only setting up the internal firewall rules.

Grandstream have just advised that there were vulnerabilities in earlier firmware versions which provided malicious attack on the systems by way of SQL injections.
Systems must be upgraded to the latest release, and the ‘admin’ password changed after upgrade.

Extracted from email:-

We recently published a new firmware version for the UCM series of IP PBXs that adds a number of major enhancements, detailed below. Version 1.0.20.23 also fixes a reported critical security vulnerability. To ensure that every UCM series IP PBX is fully secure and protected from the security risk, we urgently suggest that you take the following 2 steps to upgrade all UCM devices:

Steps to update the UCM series

  1. Update each UCM6200 series and UCM6510 device to firmware version 1.0.20.23 (for UCM6100 series models, upgrade to 1.0.18.18)
  2. IMPORTANT - Immediately change the admin password after installing the upgrade to keep the UCM secure

The security vulnerability in question is associated with unauthenticated password retrieval.

Grandstream Security Bulletin
GS20-UCM005 indicates:-

Grandstream received reports of SQL injections that could allow malicious unauthenticated users to
retrieve the passwords of created users from the UCM61xx/62xx/6510 series IP PBX appliances with
firmware 1.0.20.20 or older for UCM62xx/6510 and firmware 1.0.18.17 or older for UCM61xx. When
certain actions are invoked on specific ports, the related modules will be vulnerable to the
aforementioned SQL injections and brute force attacks.

BACKDOOR LOCATED AND SHUT.

Yes Damiano and Kevin, an external firewall needs to be introduced into the network to shield the IP-PBX from future attacks - we get that, now.


#31

The base of the Voip are:

  • the basic knowledge of the SIP Protocol.
  • the Security (therefore external firewall).
  • the general rules of infrastructure to properly support VoIP.

Without the knowledge of these 3 rules you don’t go to install VoIP and all that competes.
Grandstream, like all manufacturers assume that the installer knows these 3 rules well.


#32

Hello
There is a serious and effective vulnerability now in your system and these are the links of the vulnerability!

Grandstream UCM6200 Series WebSocket 1.0.20.20 - ‘user_password’ SQL Injection

https://www.exploit-db.com/exploits/48271

Grandstream UCM6200 Series CTI Interface - ‘user_password’ SQL Injection

https://www.exploit-db.com/exploits/48270

And works to withdraw the information of the manager, even if he changed the information, the new is withdrawn by injection !?


#33

update the fw of UCM and above all make sure you have the firewall NAT rules in ACL and you will have no problems.
And don’t open identical posts, just mix it up.


#34

Thanks NINJA.
It transpires that Grandstream were aware of this vulnerability a month ago.
You can read all about it here:


A lot of people may be surprised and disappointed with Grandstream having such an easily breached system, and have only just applied a fix.
Yes, Damiano, it would all be avoided by the use of an external firewall. We’ve had that hammered into us sufficiently, but I’m still pretty bummed by the lack of proper protective measures within the box.


#35

your thinking is not correct, that’s a problem that involves many manufacturers, I’ve just for example updated QNAP, Draytek etc… so no use complaining here.
The firewall is mandatory, it’s required by law (here in Italy it’s mandatory, but not everyone does it is another matter), and it’s required by the seriousness of any installer.
The problem should not be searched in GS, on the contrary should be praised that they have quickly found the solution.
If, for example, thieves come to your home to steal, do you report the thieves or who produced the access door to your home?
Unfortunately, the bad guys work daily to “hack” the systems, and the Manufacturers work daily to protect the systems.
And this happens in all active devices, Firewall, Router, “Server”, A.P., VoIP server etc…
So it’s useless to come here and complain and argue about the Manufacturer. Open a ticket and you can make as many complaints as you want.
Welcome to the complicated world of computing.

Good Job