Updated: Nov 23
Enterprises using the MS Teams Direct Routing service, require a session border controller (SBC) to connect their telephony network with the MS Teams services. Each SBC vendor has to pass the certification and interoperability testing process and provides the configuration guides for the customers. FRAFOS has certified it’s FRAFOS ABC SBC in 2022.
The SySS team reported recently about a security issue in the integration of one SBC vendor and Microsoft Teams Direct Routing service. (https://blog.syss.com/posts/abusing-ms-teams-direct-routing/).
The security issue comes from the weak authorization configured in the SBC when verifying the incoming calls from MS Team Direct Routing service. The guide provided by that SBC vendor provides recommended checking only the content of the incoming SIP requests (specifically the Request URI and Contact headers), which is easy to fake by the tools like SIPp or other SIP stacks. The attacker can then easily make fraud PSTN calls to expensive destinations.
The FRAFOS ABC SBC with the recommended configuration is not vulnerable to the reported security issue. The Direct Routing endpoint (in FRAFOS terminology called the “Call Agent”) is defined by the FQDN (MS Teams specify in their settings that the traffic will be coming from e.g. sip.pstnhub.microsoft.com), which is being resolved by the SBC’s signalling process and only those requests coming from the resolved IP addresses are qualified as coming from the Direct Routing service. The customer does not have to configure any specific source IP addresses or IP subnets to allow the traffic.
Another recommendation is to verify the client’s TLS certificates and check if the certificate is generated by any of the uploaded Certificate Authorities specified in “Trusted CA certificate file”. We’re also adding a new configuration option to access the TLS connection client certificate (CN and SAN fields) in the configuration rules, which will allow the administrator to additional level of security.