Home » Kerio User Forums » Kerio Operator » Security update - automatic provisioning
Vladimir Toncar (Kerio)

Messages: 812
Karma: 39
Send a private message to this user

There is a new type of attack that is aimed at automatic provisioning. The botnets are scanning for TFTP servers and if they discover one, they try to auto-provision a SIP extension from it. We've recently seen a case when this attack was so intensive that it resulted in a denial of service.

Please note that the comment about phone provisioning ("Never make it accessible from the public internet.") in Operator's firewall configuration is there for a reason. It is really excessively risky to open automatic phone provisioning to the public internet. If an attacker "auto-provisions" an extension from your PBX, they will be able to call anywhere at your expense.

If you allowed access to hardware phone provisioning to 'All IP Addresses', please change it something safe NOW. We recommend that you use HW phone provisioning only in your LAN or over a VPN link.

The next version of Operator will not allow the built-in IP address group 'All IP Addresses' to be used for phone provisioning firewall configuration.

For those interested in details, the mentioned attack was using TFTP requests that are typical for Linksys/Cisco SPA phones. Each request contained a different hardware address. It was a relatively stupid brute-force scanning of the address space but there's no guarantee the attackers will not improve over time.


[Updated on: Wed, 22 June 2016 10:50]


Messages: 19
Karma: 1
Send a private message to this user
Thank you for the warning.

As of today my Operator is secured and only reachable vie VPN (control of course)

Have a great day

Previous Topic: Fsck on sda4
Next Topic: Limit inbound calls
Goto Forum:

Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Nov 17 15:43:10 CET 2018

Total time taken to generate the page: 0.79813 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.