Pascal Gienger wrote: > Vulnerability in Bintec Firmware BOSS V4.9 Release 1 and earlier > > Abstract: > Non-interpretation of "international" or "national" incoming call setup > leads to a security problem when you accept connections based on their > incoming call number. > > Bintec is a manufacturer of routers whose market share is growing steadily. > So the following information should be of general interest. > Bintec Routers are shipped with the BOSS Operating system, current release > is V4.9, Rel.3. > > Bricks do support besides PPP links also raw IP encapsulation over HDLC > frames (ISDN Line). > In the latter case, WAN partner are distinguished based upon their incoming > call number (CLID), so you must "trust" your telephone company for issuing > the right information. People may set their own "outgoing" number, but only > the ones marked as "screened" by the telco are looked at. > There is a security mechanism available for all BinTec Routers that can be used to verify if the "Calling Party Number" of an incoming call was modified by the calling party. The SETUP-message of an incoming call at an ISDN-interface contains a parameter field called "Screening Indicator". This Screening Indicator can not be set by the originiating user, but it is modified by the first exchange at the call originator side. Possible values for the screening indicator are (refer to ITU Q.931 or ETSI 300 102-1) : - "user-provided - not screened" - "user_failed provided - verified and passed" - "user_failed provided - verified and failed" - "network provided" >From firmware revision BOSS V4.8 Release 1, the user could select if the screening indicator is verified and specify the expected value. This can be done for every indiviual number, and is selected by modification of the SNMP configurationtable "dialtable". Unfortuantely there are many smaller PABX (private branch exchange) used by our customers, that do not pass through the value of the screening indicator without modification, so we decided, not to verify all numbers by default. For users of raw IP connections, we recommend verification of the screening indicator. # Thomas Schmidt / Product Manager # BinTec Communications AG # D-90449 Nuernberg / Suedwestpark 94 # Phone : 49-911-9673-0 # Fax : 49-911-6880725 # EMail : tsat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:33:49 PDT