Thank you for all the feedback. Yes, we can all take the advice for implementing external firewall measures.
It is a pity that Grandstream et al do not advise this in their IP-PBX training.
The same advice was not given on Yeastar MyPBX or S-series training - only setting up the internal firewall rules.
Grandstream have just advised that there were vulnerabilities in earlier firmware versions which provided malicious attack on the systems by way of SQL injections.
Systems must be upgraded to the latest release, and the ‘admin’ password changed after upgrade.
Extracted from email:-
We recently published a new firmware version for the UCM series of IP PBXs that adds a number of major enhancements, detailed below. Version 188.8.131.52 also fixes a reported critical security vulnerability. To ensure that every UCM series IP PBX is fully secure and protected from the security risk, we urgently suggest that you take the following 2 steps to upgrade all UCM devices:
Steps to update the UCM series
- Update each UCM6200 series and UCM6510 device to firmware version 184.108.40.206 (for UCM6100 series models, upgrade to 220.127.116.11)
- IMPORTANT - Immediately change the admin password after installing the upgrade to keep the UCM secure
The security vulnerability in question is associated with unauthenticated password retrieval.
Grandstream Security Bulletin
Grandstream received reports of SQL injections that could allow malicious unauthenticated users to
retrieve the passwords of created users from the UCM61xx/62xx/6510 series IP PBX appliances with
firmware 18.104.22.168 or older for UCM62xx/6510 and firmware 22.214.171.124 or older for UCM61xx. When
certain actions are invoked on specific ports, the related modules will be vulnerable to the
aforementioned SQL injections and brute force attacks.
BACKDOOR LOCATED AND SHUT.
Yes Damiano and Kevin, an external firewall needs to be introduced into the network to shield the IP-PBX from future attacks - we get that, now.