- Hackers are routinely scanning IP addresses for open ports and if they find an IP address vulnerable to brute force scanning they will execute a remote Provisioning scan using the first 6 digits of popular vendor ID’s like Polycom, Yealink and then brute force the last 6 digits of a 12 digit MAC address.
- By example a ScopTEL server using the default HTTP listen port of 5555 can be attacked using this method. Other vendors are also vulnerable on whatever HTTP listen port they use to remotely provision IP phones.
- TFTP is especially vulnerable on UDP port 69 because no specific path is required to the MAC.cfg file. Only the <MAC>.cfg variable is required to harvest the MAC.cfg file. TFTP should be denied on the Firewall whenever possible.
- If you have enabled Telephony>Configuration>Security>Flood Protection and the ScopTEL Firewall and Telephony Flood Protection (Fail2ban) Service then the remote attacker’s IP address will be blacklisted by the Firewall when a brute force attack is detected.
- But if the remote attacker knows of a valid MAC address on the network then this MAC.cfg file can easily be harvested unless HTTP Authentication is configured. The exact methodology won’t be published here as this should not be public knowledge.
- This document will explain how to lock down a server using HTTP Authentication
ScopTEL - Securing Configuration Files with HTTP Authentication