UPDATE! AudioCodes SBC Configuration Update for Teams Direct Routing
Introductions
On October 26, 2022, AudioCodes published 0483 Product Notice – SBC Security Configuration update for Microsoft Teams Direct Routing. The article provides configuration information to mitigate a recently discovered vulnerability in the Session Border Controller (SBC) configuration for Teams Direct Routing that had been previously published by AudioCodes.
This notice applies to all installed AudioCodes Teams Direct Routing SBCs as well as all new installations. The information in the update applies to all Office 365, Microsoft 365 and GCC tenants. It does not apply to “GCC DOD” or “GCC High” tenants. Towards the end of this blog, you will find some guidance interpreted by Enabling Technologies for these two (2) types of tenants. ETC’s guidance is not official AudioCodes guidance but does follow the intent of the configuration update.
Vulnerability
“an unauthenticated attacker could be able to send specially crafted SIP messages that pretend to originate from Microsoft and make unauthorized external calls; this may allow an attacker to make calls impersonating to be a legitimate user or to perform toll fraud.”
AudioCodes Recommended Configuration Changes for Office 365, Microsoft 365 and GCC tenants
All versions of the AudioCodes SBC Configuration Guides for Teams Direct Routing through June 7, 2022 included a single Classification rule for handling inbound traffic from Microsoft Teams.
When traffic arrives at the SBC and it meets these criteria, the Classification rule will classify the traffic as entering the SBC through the “Teams” IP Group:
The Teams Direct Routing documentation from Microsoft for Microsoft 365, Office 365 and GCC environments states that there are three (3) FQDNs that a Teams Direct Routing SBC needs to communicate with:
These FQDNs will resolve to IP addresses in these ranges:
The problem with the old classification rule is that the “52.*.*.*” address criteria will match any address in the range 52.0.0.1 to 52.255.255.254.
There are eight (8) new rules that replace the old single rule. The AudioCodes configuration guides have been updated as of September 7, 2022, to reflect these new rules. The rules narrow the range of permitted IP addresses to correspond to the Microsoft-defined 52.112.0.0/14 and 52.120.0.0/14 ranges:
GCC DOD and GCC High Tenants
Neither the configuration guides nor the security update provides the Classification or SBC firewall rules for GCC DOD or GCC High tenants. There is no mention of GCC DOD or GCC High tenants at all in these documents.
There is only one (1) Fully Qualified Domain Name (FQDN) that SBCs installed for GCC DOD tenants need to communicate with:
This FQDN will resolve to IP addresses in a single IP address range:
Following the examples for the Office 365, Microsoft 365 and GCC tenants, Enabling Technologies recommends that GCC DOD Tenants add these eight (8) Classification rule to their SBCs:
GCC DOD only need one (1) rule for Teams on the SBC’s firewall:
There is only one (1) Fully Qualified Domain Name (FQDN) that SBCs installed for GCC DOD tenants need to communicate with:
This FQDN will resolve to IP addresses in a single IP address range:
Following are the recommended Classification rules for GCC High tenants:
Recommended single firewall rule for a GCC High tenant:
Summary
eGroup | Enabling Technologies is available and ready to answer any questions that you might have about this security update, SBC hardening and security as well as overall security for your enterprise. If you need help in implementing a security infrastructure for your organization, please contact us at info@enablingtechcorp.com.
Bibliography
AudioCodes has written several documents addressing security on their Session Border Controllers and Gateways. There are versions for the 7.2 and 7.4 firmware in which they discuss the importance of setting up the SBC’s firewall rules.:
· SBC-Gateway Recommended Security Guidelines Ver. 7.2
· SBC-Gateway Recommended Security Guidelines Ver. 7.4
The AudioCodes SBC user manuals can also be found in the Library section of the AudioCodes website.
Cloud Solutions Architect - Enabling Technologies
Last updated on July 31st, 2023 at 12:57 pm