An additional thought ... if you are concerned about the potential security issues described in the previous blog entry, but you are also concerned that you do not want to hastily update to NowSMS 2008 without additional testing for your specific application(s), then you may want to enable Data Execution Prevention within Windows on the PC or server that is running NowSMS.
As a practice, we enable this setting on all of our servers, as well as our development and testing machines. This Windows configuration setting enables extra protection in the processor and within Windows to prevent this type of stack buffer overflow from allowing any malicious code to be executed.
The downside is that some software may experience difficulty with this setting being enabled, but if necessary, it is possible to disable the setting for specific applications or services that encounter problems.
If NowSMS is running as a dedicated server, I think it is a no-brainer to enable this setting. And in my opinion, it is a good idea to enable this setting on most servers.
The Data Execution Prevention setting exists in Windows XP Service Pack 1 and higher, Windows 2003 Server, Windows Vista and Windows 2008 Server. In most of the server editions of Windows, the setting is enabled by default.
To configure this setting, use the "System" option in the Windows Control Panel. Select "Advanced" / "Performance" / "Settings" / "Data Execution Prevention". The options are to enable this setting for "essential Windows programs and services only", or for "all programs and services except those I select". Selecting "all programs and services except those I select" enables protection against malicious code attacks that target stack buffer overflows.
-bn
Wednesday, 27 February 2008
More Thoughts on the NowSMS Security Issue
Tuesday, 26 February 2008
NowSMS 2008 and Important Security Issues
The 2008 edition of the Now SMS/MMS Gateway is now available for download at http://www.nowsms.com/downloads/.
While the primary new feature of this version is improved performance and scalability for configurations that require throughput of 200 messages per second and higher, we want to draw the attention of all customers to this release, as it addresses a security issue that was recently posted on the internet at http://secunia.com/advisories/29003/.
At this time, we are not aware of any software that exploits these buffer overflow vulnerabilities for malicious purposes, nor do we know for certain that it is possible to exploit these vulnerabilities for such purposes, but we do believe that it is in the best interest of customers to update to NowSMS 2008, which addresses these vulnerabilities.
The proof of concept exploit code that has been published on the internet to highlight these vulnerabilities can trigger an internal restart of the NowSMS service, and could be used for a denial of service attack. It may be possible that variations of this attack could be used for other purposes, including remote system access (the full extent of potential vulnerability is not known).
This proof of concept code works by sending certain invalid requests to either the NowSMS HTTP/web interface port (the HTTP interface of the "SMS Gateway" component, not the HTTP port of MMSC), or the SMPP server, if enabled. The HTTP exploit can be blocked by using the "IP Address Restrictions" setting on the "Web" page of the NowSMS configuration dialog, and explicitly defining all IP addresses that are allowed to access the NowSMS web interface. The SMPP exploit can only be blocked not enabling the SMPP server (it is not enabled by default), or blocking access to the SMPP server port via a firewall that is external to NowSMS.
To address these vulnerabilities, all NowSMS customers are advised to either limit access to these affected server ports, and/or update to NowSMS 2008. The NowSMS 2008.02.22 update is being made available free of charge to all licensed customers of NowSMS 2006 and 2007, even if they do not have an up-to-date maintenance and enhancements agreement. (Access to future NowSMS 2008 updates will require an up-to-date maintenance and enhancements agreement.)
More information about the NowSMS 2008 release:
NowSMS 2008 offers dramatically improved speed and performance for configurations that require messaging throughput of 200 messages per second and higher. In particular, the performance of delivery receipt message id tracking in SMPP environments has improved substantially so that message sending rates in excess of 200 messages per second are easily sustainable for extended periods of time, even as delivery receipts are received at a similar rate. Message id assignments for multipart messages have also been modified to provide for uniqueness.
An improved queuing mechanism offers improved performance for processing bulk messaging queues, and the async mode SMPP implementation has been optimised to provide for maximum throughput.
An XML-based query interface has been added to allow for external reporting of operational and performance statistics including SMSC connection status and messaging throughput.
MM7 support has been enhanced to allow more flexibility in modifying the XML output to allow for quirks in early versions of the MM7 specification, and questionable MM7 implementations by some MM7 service providers. Digest Authentication support has also been added for external MM7 connections.
Support has been added for additional Open Mobile Alliance standards, including DRM 2.1 ROAP Triggers, which are now supported via the PAP (Push Access Protocol) and XML Settings interfaces.
Additional release notes regarding the NowSMS 2008 Edition can be found in the following post: http://www.nowsms.com/discus/messages/53/23641.html
