3CX, the makes of the popular Microsoft Windows-based IP Phone System have released a security update for their 3CX Phone System 9 installations. There are no details of what particular vulnerabilities have been addressed by this update, except that it addresses vulnerabilities when using bridges to connect to other 3CX phone systems.
Details of the update and further recommendations for securing 3CX installations are available in the
3CX announcement of the release.
The number of attacks on sip based voip systems appears to be increasing at an alarming rate over the past few months and therefore it is essential that your pbx environment is secured.
Some essentials actions that you must take include:
- Ensure a firewall is in place to protect your internal Network from the internet
- Only open ports on your firewall that are absolutely essential
- When opening ports on your firewall, only open to trusted sources and not the world
- For external connections to your PBX, use a VPN tunnel where possible e.g. for remote workers
- Where VPN tunnels aren’t practical, for instance with a SIP service provider, then seek advice from your service provider and understand what ports require opening as a requirement and which ip address range their service utilises
- Our Service uses the following ip ranges - 217.14.138.0/12, 77.240.48.0/24, 77.240.60.0/24
Additionally, ensure that all of your PBX extensions are secured with strong alphanumeric passwords. Most scan based attack take a three stage approach to attacking your system. First they identify that a sip based pbx is installed at your ip address, next they attempt to determine what extension numbers are configured on your system, and finally they either exploit extensions with no passwords, or attempt dictionary based attacks to crack any passwords. The net result is that once this has been achieved, you will likely be faced with a hefty bill from your service provider for calls to premium rate numbers.
