Monday, July 5, 2021

Port 123 was actually used... and I feel like a fool

We've had some VoIP phones for over a year now, and we've never been able to get the time synced up properly on them. After trying to correct the error on the cloud management panel, the DHCP server, and even contacting our ISP to make sure their exchange was broadcasting the right time, I gave up long ago and just set the handsets' time manually.

So today I conducted an audit of our security and was looking through the Layer 3 filters that were set some time ago. I remember blocking them based on the 'SANS Institute: Commonly Probed Ports' paper and thought I'd check for an updated copy for any new ports deemed outright vulnerable since then. That's when I saw it. Port 123 controls the Network Time Protocol. No. It couldn't be...

I disabled the rule and within seconds all the VoIP handsets flashed at once with the correct time. I couldn't believe it. I'm almost 30 and never used a device or application that uses port 123 instead of a http/s request. I feel like a twit. When I told my colleague, he pointed out that the engineer who "invented" port 123 must've been British as that's the number you dial to get the talking clock in the UK, which led to a cool conversation about port origins and 666.

Obviously I've set up mitigations for this now-vulnerable open port but a few things to learn from my stupidity;

1: Review your firewall rules regularly.

2: when documenting firewall rules, make sure one of the columns in your sheet notes what the port/application layer was intended to do. Looking at a vague list of numbers and moving onto the next thing is too easy.



No comments:

Post a Comment