Close your Ingate for malicious SIP servers!

[Lisa Hallingström]

Malicious SIP servers can use your SIP system for long-distance calls if 
you haven't used all the security checks the Ingate offers.

Exploit: A SIP server on the outside sends an INVITE with a Request-URI 
to point at a service provider, who uses IP authentication. This INVITE 
is sent to the Ingate. By normal DNS lookups, the SIP proxy will then 
forward the INVITE to the service provider, and the call is set up.

Limitations: This will only affect customers where the Ingate is 
manually set up, or set up with a Startup Tool of an older version than 
2.0. It also requires that the customer uses a service provider using IP 
authentication (as opposed to password accounts), and that the customer 
doesn't use the Ingate as the local registrar. It also requires that the 
Ingate neither authenticates requests nor has any Reject rules set in 
the Dial Plan or the Proxy Rules.

How to close your Ingate: To get around this exploit, use the latest 
Startup Tool to reconfigure your Ingate. If your configuration does not 
allow this, add a Dial Plan rule, last in your Dial Plan table, where 
the Action is set to "Reject".

If you use your Ingate as the registrar, select "Auth&Forward" for all 
outbound calls in the Dial Plan.


Lisa Hallingström
Ingate Support Manager