Vulnerability makes Microsoft Teams vulnerable to fraud

A recently discovered vulnerability in Microsoft Teams allows attackers, among other things, to cheat companies out of telephony charges. Administrators can – and should – take targeted protective measures.

With the appropriate license and a certified Enterprise Session Border Controller, i.e. a security and control component for VoIP networks, Microsoft Teams includes integration into the public telephone network. The Mediant product range from the manufacturer AudioCodes is often used as an Enterprise Session Border Controller (E-SBC). With it, IT security consultant Moritz Abrell from SySS was recently able to discover a vulnerability in Microsoft Teams’ direct routing telephony integration, which can be traced back to insufficient authentication methods.

If attackers exploit this vulnerability, they can incur high charges on behalf of the affected company by dialing value-added numbers or international calls. However, by simulating other source phone numbers, the vulnerability could also facilitate phishing attacks.

Technical background

If a call is to be made with an external number, the software sends the call to the E-SBC via a previously configured SIP trunk. This checks the incoming call using a so-called classification and forwards it according to the configured call routing rules. It should actually be ensured that only calls from trustworthy sources are accepted and forwarded. According to Abrell, the manufacturer initially only recommended that the target FQDN in the SIP request match that of the SBC and that the SIP contact header should contain “pstnhub.microsoft.com”. However, by checking the common name or subject alternative name attribute of the SBC’s certificate via tools such as OpenSSL, attackers can easily obtain this information. With a self-signed certificate and the correct setting of header data, Moritz Abrell managed to present himself as a valid SIP request from MS Teams. The IT security consultant was then able to make external telephone calls.

In the Responsible Disclosure procedure, the manufacturer has added an IP filter for the source IP addresses of MS Teams to its security recommendations to classify calls before they are forwarded to the respective telephony provider. However, the recommendation contained the large IPv4 address block 52.0.0.0/8 from AWS, which also contains many other software in addition to teams.

There was also a recommendation for bidirectional TLS authentication of the SIP messages. However, the SBC must trust two root CAs: DigiCert Global Root G2 and Baltimore CyberTrust Root. Showing a certificate for any FQDN from these certification authorities is already sufficient. The vulnerability could still be exploited if the attackers can show a certificate for domains under their own control from one of the root CAs mentioned. A filter for certificates with FQDNs from MS teams in the CN or SAN attribute would be better here – but that would not be possible with all products. Another possibility would be a dedicated CA.

According to the manufacturer’s recommendation, further security should bring filters to certain source numbers. However, source numbers can often be read from websites or public telephone directories. Following the Responsible Disclosure, AudioCodes added a tightened incoming firewall rule for the E-SBC for SIP and the IPv4 address blocks 52.112.0.0/14 and 52.120.0.0/14 to its security recommendations.

Recommendations for teams admins

You can use the following countermeasures to protect your own infrastructure from the vulnerability:

Incoming restrictive IP filters on IP address blocks 52.112.0.0/14 & 52.120.0.0/14 for SIP communication with Teams Direct Routing
Use of mutual TLS authentication
Filter on the Subject Alternative Name sip.pstnhub.microsoft.com in the certificate
Restrictive assignment of rights for calls to premium rate and international numbers
Limit maximum call duration
Perform source phone number validation
Evaluate logs regularly for anomalies – Vulnerability makes Microsoft Teams vulnerable to fraud

Sources: Moritz Abrell & SysS Tech Blog

Kubernetes

ccloud³

Managed Server

Cloud GPU

S3 Object Storage

Enterprise

Saas-Hosting

Startup

Linux-Hosting

VMware Migration

Docker Hosting

Help Center

Trust Center

Glossar

Tutorials