NowSMS 2008 and Important Security Issues

Posted by on Feb 26, 2008 in Support Blog

Topic Keywords: ,

The 2008 edition of the Now SMS & MMS Gateway is now available for download at http://www.nowsms.com/downloads/.

While the primary new feature of this version is improved performance and scalability for configurations that require throughput of 200 messages per second and higher, we want to draw the attention of all customers to this release, as it addresses a security issue that was recently posted on the internet at http://secunia.com/advisories/29003/.

At this time, we are not aware of any software that exploits these buffer overflow vulnerabilities for malicious purposes, nor do we know for certain that it is possible to exploit these vulnerabilities for such purposes, but we do believe that it is in the best interest of customers to update to NowSMS 2008, which addresses these vulnerabilities.

The proof of concept exploit code that has been published on the internet to highlight these vulnerabilities can trigger an internal restart of the NowSMS service, and could be used for a denial of service attack. It may be possible that variations of this attack could be used for other purposes, including remote system access (the full extent of potential vulnerability is not known).

This proof of concept code works by sending certain invalid requests to either the NowSMS HTTP/web interface port (the HTTP interface of the “SMS Gateway” component, not the HTTP port of MMSC), or the SMPP server, if enabled. The HTTP exploit can be blocked by using the “IP Address Restrictions” setting on the “Web” page of the NowSMS configuration dialog, and explicitly defining all IP addresses that are allowed to access the NowSMS web interface. The SMPP exploit can only be blocked not enabling the SMPP server (it is not enabled by default), or blocking access to the SMPP server port via a firewall that is external to NowSMS.

To address these vulnerabilities, all NowSMS customers are advised to either limit access to these affected server ports, and/or update to NowSMS 2008. The NowSMS 2008.02.22 update is being made available free of charge to all licensed customers of NowSMS 2006 and 2007, even if they do not have an up-to-date maintenance and enhancements agreement. (Access to future NowSMS 2008 updates will require an up-to-date maintenance and enhancements agreement.)

More information about the NowSMS 2008 release:

NowSMS 2008 offers dramatically improved speed and performance for configurations that require messaging throughput of 200 messages per second and higher. In particular, the performance of delivery receipt message id tracking in SMPP environments has improved substantially so that message sending rates in excess of 200 messages per second are easily sustainable for extended periods of time, even as delivery receipts are received at a similar rate. Message id assignments for multipart messages have also been modified to provide for uniqueness.

An improved queuing mechanism offers improved performance for processing bulk messaging queues, and the async mode SMPP implementation has been optimised to provide for maximum throughput.

An XML-based query interface has been added to allow for external reporting of operational and performance statistics including SMSC connection status and messaging throughput.
MM7 support has been enhanced to allow more flexibility in modifying the XML output to allow for quirks in early versions of the MM7 specification, and questionable MM7 implementations by some MM7 service providers. Digest Authentication support has also been added for external MM7 connections.

Support has been added for additional Open Mobile Alliance standards, including DRM 2.1 ROAP Triggers, which are now supported via the PAP (Push Access Protocol) and XML Settings interfaces.

Additional release notes regarding the NowSMS 2008 Edition can be found in the following post: http://www.nowsms.com/discus/messages/53/23641.html

For comments and further discussion, please click here to visit the NowSMS Technical Forums (Discussion Board)...