UPDATE! AudioCodes SBC Configuration Update for Teams Direct Routing

Introductions

On October 26, 2022, AudioCodes published 0483 Product Notice – SBC Security Configuration update for Microsoft Teams Direct Routing. The article provides configuration information to mitigate a recently discovered vulnerability in the Session Border Controller (SBC) configuration for Teams Direct Routing that had been previously published by AudioCodes.

This notice applies to all installed AudioCodes Teams Direct Routing SBCs as well as all new installations. The information in the update applies to all Office 365, Microsoft 365 and GCC tenants. It does not apply to “GCC DOD” or “GCC High” tenants. Towards the end of this blog, you will find some guidance interpreted by Enabling Technologies for these two (2) types of tenants. ETC’s guidance is not official AudioCodes guidance but does follow the intent of the configuration update.

Vulnerability

  • Without the mediation described below, the vulnerability could allow a potential attacker to places calls through an SBC as a legitimate Teams user.
  • From the configuration note:

“an unauthenticated attacker could be able to send specially crafted SIP messages that pretend to originate from Microsoft and make unauthorized external calls; this may allow an attacker to make calls impersonating to be a legitimate user or to perform toll fraud.”

AudioCodes Recommended Configuration Changes for Office 365, Microsoft 365 and GCC tenants

High Level

  1. Replace the previously defined Classification rules with new more specific rules.
  2. Configure SBC Firewall Rules.

“Old” Classification Rules

All versions of the AudioCodes SBC Configuration Guides for Teams Direct Routing through June 7, 2022 included a single Classification rule for handling inbound traffic from Microsoft Teams.

When traffic arrives at the SBC and it meets these criteria, the Classification rule will classify the traffic as entering the SBC through the “Teams” IP Group:

  1. Arrives on the SBC through the “Teams” SIP interface.
  2. The IP address of the source falls within the range 52.0.0.0 through 52.255.255.255. The classification rules do not allow you to apply a subnet mask to the specified IP address.
  3. The destination host in the SIP invite matches the Fully Qualified Domain Name (FQDN) of the SBC. This FQDN is also specified when configuring the SBC in the Teams Administration Center.
  4. It meets the criteria of the Message Condition rule named “Teams-Contact”
    1. This rule requires that the URL of the contact element of the SIP header in the SIP invite contains “pstnhub.microsoft.com.

The Teams Direct Routing documentation from Microsoft for Microsoft 365, Office 365 and GCC environments states that there are three (3) FQDNs that a Teams Direct Routing SBC needs to communicate with:

  1. pstnhub.microsoft.com
  2. pstnhub.microsoft.com
  3. pstnhub.microsoft.com

These FQDNs will resolve to IP addresses in these ranges:

  1. 112.0.0/14: Available addresses – 52.112.0.1 to 52.115.255.254
  2. 120.0.0/14: Available addresses – 52.120.0.1 to 52.123.255.254

The problem with the old classification rule is that the “52.*.*.*” address criteria will match any address in the range 52.0.0.1 to 52.255.255.254.

New Classification Rules

There are eight (8) new rules that replace the old single rule. The AudioCodes configuration guides have been updated as of September 7, 2022, to reflect these new rules. The rules narrow the range of permitted IP addresses to correspond to the Microsoft-defined 52.112.0.0/14 and 52.120.0.0/14 ranges:

Firewall Rules

  • AudioCodes believes the new Classification rules will provide sufficient mitigation of the issue, they suggest configuring the SBC’s built-in firewall as an added layer of protection. The Security Update has a reference to the Teams Direct Routing configuration guide where the firewall rules can be found.
  • eGroup | Enabling Technologies recommends that these firewall rules be added to all AudioCodes SBCs configured to support Microsoft Teams Direct Routing.
  • In a previous blog post, Configuring the Firewall Rules on an AudioCodes SBC for Microsoft Teams, the configuration of the AudioCodes SBC firewall was discussed and a set of sample rules were provided. The rules referred to by the AudioCodes configuration guide were included in the sample rules and are highlighted in the table below:

GCC DOD and GCC High Tenants

Neither the configuration guides nor the security update provides the Classification or SBC firewall rules for GCC DOD or GCC High tenants. There is no mention of GCC DOD or GCC High tenants at all in these documents.

GCC DOD Tenants

There is only one (1) Fully Qualified Domain Name (FQDN) that SBCs installed for GCC DOD tenants need to communicate with:

  1. pstnhub.dod.teams.microsoft.us

This FQDN will resolve to IP addresses in a single IP address range:

  1. 127.64.0/21: Available addresses – 52.127.64.1 to 52.127.71.254

Following the examples for the Office 365, Microsoft 365 and GCC tenants, Enabling Technologies recommends that GCC DOD Tenants add these eight (8) Classification rule to their SBCs:

GCC DOD only need one (1) rule for Teams on the SBC’s firewall:

GCC High Tenants

There is only one (1) Fully Qualified Domain Name (FQDN) that SBCs installed for GCC DOD tenants need to communicate with:

  1. pstnhub.gov.teams.microsoft.us

This FQDN will resolve to IP addresses in a single IP address range:

  1. 127.88.0/21: Available addresses – 52.127.88.1 to 52.127.95.254

Following are the recommended Classification rules for GCC High tenants:

Recommended single firewall rule for a GCC High tenant:

Summary

  • AudioCodes recommends that all deployed AudioCodes Microsoft Teams Direct Routing integrated Session Border Controllers have their Teams Classification rule replaced with the new rules as soon as possible.
  • While AudioCodes leaves the addition of the SBC firewall rules as an optional task, Enabling Technologies recommends that they be implemented.
  • In this blog we did not discuss the purpose of the Classification rules nor how to configure them for SIP Trunks, connected Emergency Routing Service Providers, Contact Centers, on-premises PBXs, etc. We will be taking a deeper dive into these rules in a future blog as part of our ongoing series on hardening AudioCodes SBCs against security threats and vulnerabilities.


eGroup | Enabling Technologies is available and ready to answer any questions that you might have about this security update, SBC hardening and security as well as overall security for your enterprise. If you need help in implementing a security infrastructure for your organization, please contact us at info@enablingtechcorp.com.

Bibliography

AudioCodes has written several documents addressing security on their Session Border Controllers and Gateways. There are versions for the 7.2 and 7.4 firmware in which they discuss the importance of setting up the SBC’s firewall rules.:

 

·       SBC-Gateway Recommended Security Guidelines Ver. 7.2

·       SBC-Gateway Recommended Security Guidelines Ver. 7.4

The AudioCodes SBC user manuals can also be found in the Library section of the AudioCodes website.

John Miller

John Miller

Cloud Solutions Architect - Enabling Technologies

Last updated on July 31st, 2023 at 12:57 pm