[Enswitch-announce] IMPORTANT: Security vulnerability in HTTP provisioning in 3.7 and later
Alistair Cunningham
acunningham at integrics.com
Mon Feb 16 01:41:25 UTC 2015
If you don't have provisioning via HTTP configured on your Enswitch
system, or are using Enswitch 3.6 or earlier, you can ignore this.
A severe security vulnerability has been found in Enswitch 3.7 and
later. If automatic provisioning of handsets via HTTP is enabled, an
attacker can download provisioning data (including SIP passwords) for
all handsets on the system without needing to know their SIP account
numbers or MAC addresses.
We have produced a temporary fix for this for all affected versions. If
you're affected, you should:
1. As soon as possible, update your test system (if you have one) to the
latest fixes.
2. Test that provisioning still works.
3. Update your production system(s) to the latest fixes.
4. Change the SIP passwords for all telephone lines on the system. We
will provide a script to do a bulk update to random passwords within the
next 24 hours.
In the meantime, we will work on a permanent fix, and will let everyone
know when ready. We expect this to be in the next few days.
I apologise for this.
--
Alistair Cunningham
+1 888 468 3111
+44 20 799 39 799
http://integrics.com/
More information about the Enswitch-announce
mailing list