A recent article in The Hacker News (THN) discusses a brute force vulnerability in the Cisco Call Manager, also known as the Unified Communications Manager, identified by Roberto Suggi Liverani. He is the founder of the OWASP (Open Web Application Security Project) New Zealand chapter. In his blog he details the vulnerability and gives proof of concept examples. He states:
“During a security review, I have found a quick way to perform PIN brute force attack against accounts registered with a Cisco Unified Communications Manager (Call Manager).”
For those not familiar with all Manager, this gives some interesting insight into how the Cisco VoIP system works between the manager and the phone…
The phone call is one of the main mechanisms that businesses get the job done. Whether it is a web-based business or the local brisk and mortar, using the phone is a key business tool. With more and more business opting for the use of Voice over IP (VoIP) rather than the traditional PBX and POTS lines.
As a result, many businesses are ramping up to obtain or improve the ability of their VoIP systems and this means taking a look at the business network LAN and WAN. This means that it is important to audit the network for the existing or future call quality. A recent article from the SANS Internet Storm Center discusses what to consider and provides some examples.
Here is part of the opening content by the author Rob VandenBrink:
In this diary, I’ll do a short description of auditing a WAN link for metrics key to VOIP (Voice over IP) call quality. Just a short proviso – this is not a complete guide to VOIP call quality or auditing for VOIP metrics, it’s meant as a starting point which you can take to your own environment and tailor to your own needs and toolset.
So, why would you want to audit a WAN link for VOIP call quality metrics?
1/ To assess if your edge routers are properly re-marking TOS or DSCP bits in the right packets, for delivery to the WAN (commonly done with PBR, Policy Based Routing)
2/ To assess if your WAN provider is honoring your QOS settings, and delivering the appropriate QOS to your various types of traffic
I’ll assume that there’s at least one Cisco device at each end of the WAN link we’re assessing (the commands described are available on IOS switches and routers), but the functions I’m describing are certainly available in most of the other name-brand network platforms.
So first of all, what will we audit in this setup?
Delay – how long does it take a packet to make a round-trip from one end to the other?
Jitter – how much does Delay change during any given call? (zero would be ideal)
MOS (Mean Opinion Scores) – a mathematical distillation of overall call quality to a single value, with 5 being perfect fidelity.
This is a good article to enforces the fact that doing a little auditing on the “boring” can help improve your businesses bottom line and also add to your overall security/technical program.