Provisioner Security

[Rally IP Admin]

Although Provisioner is a nice tool, it's too easy for someone to retrieve credentials. The config files are in plain text (at least for Polycom I tested) and no authentication with HTTP.  Too easy to scan through MAC address to obtain SIP credentials and more.  Config files need to be encrypted or need HTTP authentication or HTTPS with authentication.

[Darren Schreiber]

When the provisioner tool was created, encryption wasn't available in many cases. In addition, adding it can lead to other issues (like people using the same user/pass for all their clients, or not knowing how to configure it, etc.)

We added some functionality to provisioner which blocks scanning requests and does not allow you to download the config files without knowing a few things about properly crafting a request. So this is not actually as insecure as you're pointing out. It's been pretty solid.

At this point, you'd basically have to craft a perfect request and know the exact MAC address of the phone you want to grab.

In the future, we'll be locking this down by IP and providing functionality to deal with dynamic IPs. This should put an end to this, encryption or no encryption.

[Rally IP Admin]

Ok. The transmission in plain text config file which contains SIP auth will not be allowed in some installation customers. Another thing I noticed.  If you create a device from Advanced Provisioner App, the default SIP Username and pwd are the same as kazoo / monster UI web log in credentials.  I tried to change them but I get "Account is not reseller" error.  

[Rally IP Admin]

hmm.. The UI password is also used for device.auth.localAdminPassword by default.

[Darren Schreiber]

We hash the GUI passwords for Kazoo at create time, so I find this hard to believe. I will check it though.

[Katie Orton]

Hi, regarding this and your previous question, this behavior is not because of the advanced provisioner. We've seen this before, and this tends to happen when your browser automatically completes the username and password fields and the template is saved without removing it. If this is an existing issue, you can check your configuration for the account or reseller settings and blank those fields if they have values. Hope this helps! 

[Logicwrath]

I provisioned a Yealink T21P today and realized that the phone updates the "Auto Provision" URL to the exact HTTP URL necessary to browse and retrieve the config file in plain text.  I was able to copy/paste the URL from the phone into a random browser and browse the directory structure.

Do the Yealink phones require list/browse permissions to function correctly?  I was able to browse the directory and click on the cfg file and read the SIP credentials in plain text right my browser.

This makes me nervous.

It is also worth noting that the T21P inherits the UDP transport.  I had to manually configure DNS/NAPTR in the root of the default provisioner.  I also set the outbound proxy port to 0 instead of inherting 7000 so I could confirm that the NAPTR settings were getting queried correctly.  I was thinking that SRV/NAPTR was going be the default transport in the provisioner.

I will email you some additional detail, posting it here makes me nervous as well.