DNS Flaw Could Disrupt Unified Communications

Last week at Hyperconnectivity.com I talked about the DNS vulnerability as a business case for unified communications, today I want to dive into the parallel security issue the DNS vulnerability causes with unified communications. It’s non-trivial to redirect PSTN calls however DNS controls the endpoint of most SIP/VoIP calls.

There are two baseline risks at play, internal a external. Let’s look at internal first before jumping to the external issues.

There’s the old statistic that 86% of security breaches happen from the inside. I’m not sure if I buy that, but there are still significant risks. To make matters worse when was the last time you saw an audit control for “ensure DNS cache records aren’t poisoned”? I’d guess never. A admin could easily replicate the existing VoIP infrastructure but instruct all calls from executives to be recorded and played back at a later time. The cache poisoning vulnerability could be used to redirect calls to the “new” gateway/PBX without anyone knowing unless they were specifically looking for it. This exploit could be removed with minimal impact, and calls redirected back to the old location. I’m not saying “do it”, but come on, it wouldn’t be that difficult.

Next, there’s the external issue. An internal employee causing mischief is one thing, but an unknown and uncontrolled malicious force on the Internet is something else entirely! Following the same process above an attacker could reroute or record SIP calls travelling on the Internet. Best case is a VoIP denial-of-service attack, worst case is invalubale IP leaving the company to the hands of an unknown attacker. This assumes, of course the transport is SIP over UDP or TCP. SIP over TLS (over TCP) would make the attack considerably more difficult. Maybe Microsoft had something when they forced TLS for Office Communications Server, eh?

All the more reason to patch your DNS servers NOW! As if you needed another reason…