Some days ago, a potential vulnerability has become known where the default configuration of another suppliers SBC was not secured enough and potentially allowed toll-fraud or phishing attacks when used in context with Microsoft Teams Direct Routing: Blog Post Abusing Microsoft Teams Direct Routing
anynode is not susceptible to this attack, as the Wizard creating the MS Teams Direct Routing node creates a specific filter for the exact IP ranges that Microsoft has specified in its documentation. For incoming MS Teams Direct Routing TLS connections, anynode’s Wizard activates mutual TLS, and anynode checks whether the certificate presented by the remote peer was created by one of the two CAs that are specified by Microsoft.
Additionally, the customer can tighten security even more by requiring the certificates presented by the remote side to contain one of the following SANs:
TE-SYSTEMS will be supplying a new anynode version (4.6.26) next week, which will optionally reconfigure existing MS Teams nodes with the SAN-filtering shown above.