Some days ago, a potential vulnerability became known where the default configuration of other suppliers’ SBC was not secured enough and potentially allowed toll-fraud or phishing attacks when used in context with Microsoft Teams Direct Routing: Blog Post Abusing Microsoft Teams Direct Routing
anynode is not susceptible to this attack, as the Wizard creating the MS Teams Direct Routing node creates a specific filter for the exact IP ranges that Microsoft has specified in its documentation. For incoming MS Teams Direct Routing TLS connections, anynode’s Wizard activates mutual TLS, and anynode checks whether the certificate presented by the remote peer was created by one of the two CAs that are specified by Microsoft.
Additionally, the customer can tighten security even more by requiring the certificates presented by the remote side to contain one of the following SANs:
sip.pstnhub.microsoft.com
sip2.pstnhub.microsoft.com
sip3.pstnhub.microsoft.com
TE-SYSTEMS will supply a new anynode version (4.6.26) next week, optionally reconfiguring existing MS Teams nodes with the SAN filtering shown above.