NowSMS 2008 and Important Security Issues | Search |
NowSMS Support Forums ⬆ Now SMS/MMS Product Announcements ⬆ |
◄ ► |
Author | Message | |||
Keith Norris Moderator Username: Admin Post Number: 32 Registered: 05-2003 |
The 2008 edition of the Now SMS/MMS Gateway is now available for download at http://www.nowsms.com/downloads/. While the primary new feature of this version is improved performance and scalability for configurations that require throughput of 200 messages per second and higher, we want to draw the attention of all customers to this release, as it addresses a security issue that was recently posted on the internet at http://secunia.com/advisories/29003/. At this time, we are not aware of any software that exploits these buffer overflow vulnerabilities for malicious purposes, nor do we know for certain that it is possible to exploit these vulnerabilities for such purposes, but we do believe that it is in the best interest of customers to update to NowSMS 2008, which addresses these vulnerabilities. The proof of concept exploit code that has been published on the internet to highlight these vulnerabilities can trigger an internal restart of the NowSMS service, and could be used for a denial of service attack. It may be possible that variations of this attack could be used for other purposes, including remote system access (the full extent of potential vulnerability is not known). This proof of concept code works by sending certain invalid requests to either the NowSMS HTTP/web interface port (the HTTP interface of the "SMS Gateway" component, not the HTTP port of MMSC), or the SMPP server, if enabled. The HTTP exploit can be blocked by using the "IP Address Restrictions" setting on the "Web" page of the NowSMS configuration dialog, and explicitly defining all IP addresses that are allowed to access the NowSMS web interface. The SMPP exploit can only be blocked not enabling the SMPP server (it is not enabled by default), or blocking access to the SMPP server port via a firewall that is external to NowSMS. To address these vulnerabilities, all NowSMS customers are advised to either limit access to these affected server ports, and/or update to NowSMS 2008. The NowSMS 2008.02.22 update is being made available free of charge to all licensed customers of NowSMS 2006 and 2007, even if they do not have an up-to-date maintenance and enhancements agreement. (Access to future NowSMS 2008 updates will require an up-to-date maintenance and enhancements agreement.) More information about the NowSMS 2008 release: NowSMS 2008 offers dramatically improved speed and performance for configurations that require messaging throughput of 200 messages per second and higher. In particular, the performance of delivery receipt message id tracking in SMPP environments has improved substantially so that message sending rates in excess of 200 messages per second are easily sustainable for extended periods of time, even as delivery receipts are received at a similar rate. Message id assignments for multipart messages have also been modified to provide for uniqueness. An improved queuing mechanism offers improved performance for processing bulk messaging queues, and the async mode SMPP implementation has been optimised to provide for maximum throughput. An XML-based query interface has been added to allow for external reporting of operational and performance statistics including SMSC connection status and messaging throughput. MM7 support has been enhanced to allow more flexibility in modifying the XML output to allow for quirks in early versions of the MM7 specification, and questionable MM7 implementations by some MM7 service providers. Digest Authentication support has also been added for external MM7 connections. Support has been added for additional Open Mobile Alliance standards, including DRM 2.1 ROAP Triggers, which are now supported via the PAP (Push Access Protocol) and XML Settings interfaces. Detailed revision history notes: 2008-02-22: * SMS Gateway: Update for NowSMS web interface and SMPP server to address potential security issues/denial of service attacks. * Add XML-based Status interface to report information similar to that reported on the "Status" page, including information about SMSC connection status, number of messages processed and number of messages pending in the queues. The XML-based status interface can be accessed on the web port of the SMS gateway using a URL of "/ADMIN/XMLSTATUS". To enable access to this interface, "Enable Web Account Administration" must be enabled on the "Web" tab of the NowSMS administrative interface. The Admin User Name and Password can either be sent in an HTTP "Authorization:" header, or using "&User=username&Password=password" in the URL request. The format of the XML data will be documented in a future release, but should be self-explanatory to advanced users. 2008-02-14: * SMS Gateway: Update and performance enhancements for statistic counter logic. "SMS Submitted" count previously was not recording message counts properly if NowSMS was configured to accept messages without user accounts enabled. * SMS Gateway: For performances reasons, the "Outbound SMS Queue Size" statistic can now be optionally cached by the service so that it can be displayed without requiring a manual directory scan. This setting may improve performance on systems with large numbers of queued messages. To enable this setting, edit SMSGW.INI, and under the [SMSGW] header, add CacheQSize=Yes. * SMS Gateway: Message ID assignments for multipart messages (e.g., SAR-xxxxx-x-x-x) have changed slightly to provide uniqueness. 2008-01-30: * SMS Gateway/SMPP Receipt Message ID Resolving: Fix for problem properly resolving SMSC message IDs for some configurations where the SMSC returns a decimal version of the message ID in the text of the receipt message. 2008-01-28: * SMS Gateway: Performance optimisations to improve async SMPP throughput for configurations of 200 messages per second and higher. 2008-01-17: * OMA Settings: Send XML Settings and Push Access Protocoal (PAP) interface updated to support DRM 2.1 Roap Trigger <roap:roapTrigger> documents. Note: There is a bug in the WBXML encoding as specified in the currently published DRM 2.1 Candidate specification. The specifications defines a WBXML encoding for "http://www.w3.org/2001/XMLSchema", which should instead be "http://www.w3.org/2001/XMLSchema-instance". The OMA has agreed that this bug will be fixed for the final release of the DRM 2.1 specification (Change Request OMA-DRM-2007-0568), and the NowSMS implementation includes support for this fix. Also note that the current DRM 2.1 specification is still a candidate release, and there are numerous encoding errors in the WBMXL example in the specification, so this is definitely a work-in-progress implementation that will be updated as the final specification is released. * MM7: The element value <MessageClass>Personal</MessageClass> was not being included in MM7 submissions, with NowSMS assuming that Personal was the default value for this element, when the actual schema default is Informational. If this causes a problem, edit VASPOUT\vaspAccountName\VASP.INI, and under the [VASP] header, add MessageClass=None to omit the <MessageClass> element. Or specify MessageClass=xxxxxxxx to specify <MessageClass>xxxxxxxx</Messageclass> (xxxxxxxx should be either Personal, Advertisement, Informational or Auto). * MM7: Early MM7 schemas did not support the "+" character in a phone number. When one of these early schema versions is used, NowSMS automatically removes the "+" character if present. * SMS Gateway: When "Separate outbound message queues for each user" is enabled, NowSMS will utilise additional Q subdirectories when large volumes of messages are submitted, to prevent Windows performance problems with too many message files in a single directory. 2007-11-29: * MMS over MM1 (operator MMSC with GPRS modem): Revisit old problem from 2006-08-11 - Fix for "HeaderUserAgent" and "HeaderProfile" MMSC.INI settings having problems if these included longer strings. This would result in the WSP Connect PDU being formed invalid when retrieving MMS messages (sending was ok), and prevent MMS messages from being received. Previous fix did not work with all longer strings. 2007-11-19: * MMSC: Add configuration parameter that allows for recipient address conversions based upon the prefix of the recipient phone number. This conversion is applied after the MMSC adds a country code to any recipient phone numbers. To add any conversions, edit MMSC.INI, and under the [MMSC] header, add MSISDNRecipientPrefixConvert=+1234:+2345,+6789:+987 If the MMSC encounters a recipient address that starts with "+1234", it will replace this part of the recipient address with "+2345" (e.g., +123456789 becomes +234556789). 2007-11-15: * SMPP: Performance optimisations for high speed transceiver connections (or connections that return delivery receipts over the sender connection, such as the Logica SMPP simulator) when sending and receiving over the same connection. * SMPP: Performance optimisations for delivery receipt message id tracking/conversion. * MM7: Additional configuration parameters available for customising XML name space parameters in the MM7 output. This is to deal with connections to quirky MMSCs that expect particular prefixes to be used for XML name spaces. The following settings can be defined under the [VASP] header of VASP\accountname\VASP.INI: NSSoapEnvelope=soapenv This setting specifies the name space prefix to be used for the "http://schemas.xmlsoap.org/soap/envelope/" name space, the default being env. NSXMLSchema=xsd This setting specifies the name space prefix to be used for the "http://www.w3.org/2001/XMLSchema" name space, the default being blank. When blank, this name space is NOT referenced in the XML envelope. NSXMLSchemaInstance=xsi This setting specifies the name space prefix to be used for the "http://www.w3.org/2001/XMLSchema-instance" name space, the default being blank. When blank, this name space is NOT referenced in the XML envelope. NSMM7TransactionID=ns1 This setting specifies the name space prefix to be used for the MM7 schema name space for the TransactionID element in the SOAP envelope only, the default being blank. The following example provides further explanation. This is an example default MM7 SOAP envelope header generated by NowSMS: <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"> <env:Header> <TransactionID xmlns="http://www.3gpp.org/ftp/Specs/archive/23_series/23.140/schema/REL-5-MM7-1-2" env:mustUnderstand="1">20071102120921-A4D2CC3B@bigkahuna</TransactionID> </env:Header> This is an exampe MM7 SOAP envelope header generated by NowSMS when the following settings are defined in VASP.INI: [VASP] NSSoapEnvelope=soapenv NSXMLSchema=xsd NSXMLSchemaInstance=xsi NSMM7TransactionID=ns1 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Header> <ns1:TransactionID soapenv:mustUnderstand="1" xmlns:ns1="http://www.3gpp.org/ftp/Specs/archive/23_series/23.140/schema/REL-5-MM7-1-2">20071102120643-A1231342@bigkahuna</ns1:TransactionID> </soapenv:Header> <soapenv:Body> NOTE: The MM7 schema version is configurable on a per cnonection basis, the default being REL-5-MM7-1-2. 2007-10-23: * SMPP Server: User interface for setting "Max connections per client" was not updating the SMSGW.INI file correctly. SMPPServerMaxConnectionsPerUser=## needs to be under the [SMSGW] header of SMSGW.INI, but the user interface setting was placing this value under the [SMPP] header of SMSGW.INI. 2007-10-03: * 2-way SMS: Add additional replacement parameter avaialble for 2-way commands when messages are received via a GSM modem. The @@RECEIVEDSMSC@@ parameter will contain the SMSC address from which the SMS message was received. This value is ONLY available for messages received via a GSM modem, it will be blank for all other SMSC interfaces. 2007-10-02: * When making HTTP requests via an HTTP proxy server, include a "Host:" header. Previously, the "Host:" header was only included when not using an HTTP proxy. (The old approach was valid for HTTP/1.0, but not valid for HTTP/1.1.) This logic only applies to HTTP SMSC connections via an HTTP Proxy, and to User Agent Profile (UAProf) retrieval via an HTTP Proxy. MMS retrieval over MM1 via an HTTP proxy already included all required headers. 2007-09-13 * SMS Gateway/SMPP Client: Add configuration parameter to allow the "users" directory to be moved to another location other than beneath the NowSMS program directory. This directory contains queues of received messages waiting for SMPP or POP3 clients. (Under [SMSGW] header in SMSGW.INI, use UsersDir=d:\path\ or UsersDir=\Server\Volume\path\ to specify the location of the SMS "users" directory.) 2007-09-06 * SMTP: Add support for sending e-mail to SMS or MMS using distribution lists when SMTP AUTH is not used for authentication. Previously NowSMS required that an SMTP client "login" to NowSMS as an "SMS User" account in order to access a distribution list. Now, users that authenticate to NowSMS via the "Authorised E-Mail to SMS/MMS Senders" list or via the trusted IP address list (SMTPIPAddressList) can also send to distribution lists. Note, however, that there are two types of distribution lists supported by NowSMS. If "Require Authentication for web interface" is checked on the "Web" page of the NowSMS configuration, this means that users are prompted to login when they access the NowSMS web interface. In this situation, each user has their own set of user-specific distribution lists, and e-mail to SMS or MMS using this distribution list is only possible if SMTP AUTH is performed during the SMTP connection, using the same NowSMS user account. If "Require Authentication for web interface" is NOT checked, then all distribution lists are global and are not user specific. User-specific distribution lists are stored in the DLISTS\username subdirectory of NowSMS. Non-user specific distribution lists are stored directly in the DLISTS directory. 2007-08-28 * MMSC/MM1: Add support for CC/BCC recipients when routing messages to an operator MMSC via MM1. Previously all recipients would be listed as "To" recipients in the message header. Note that it is not possible to specify CC or BCC recipients when submitting via the NowSMS web interface, but it is possible to specify CC or BCC recipients when using MM7 or EAIF. Also note that for special requirements it is possible to force all recipients for an MM1 connection to be specified as BCC by editing VASPOUT\accountname\VASP.INI, and adding ForceBCC=Yes under the [VASP] header. 2007-08-15 * MMSC: Performance enhancements for bulk MMS message submissions being routed to external MMSC connections. Please note the following configuration settings related to bulk MMS. a.) When a message is sent to more than 1000 recipients, NowSMS will automatically break the message into separate message instances for each group of 1000 recipients. As many MMSC connections will not accept bulk MMS submissions to this many recipients in a single instance, this allows NowSMS to simultaneously process the different recipient groups over separate outbound MMSC connections for better performance. To change this setting, edit MMSC.INI, and under the [MMSC] header, specify MaxRecipsPerMMS=##### to set the number of recipients allowed per single MMS message instance. (Note: The "Max Connections" setting for MM7 and EAIF MMSC connections specifies how many simultaneous connections can be allowed between NowSMS and any one specific external MMSC.) b.) When a message is routed to an external MMSC connection, NowSMS will automatically break messages sent to multiple recipients into separate message instances for grouped recipients. The number of recipients per message instance is variable based upon the MMSC connection type. For MM1 connections, the value is 5 recipients per message instance. For EAIF connections, the value is 10 recipients per message instance. For MM7 connections, the value is 100 recipients per message instance. To modify this setting, it is necessary to manually edit the VASPOUT\accountname\VASP.INI file associated with the "MMSC Routing" definition. Under the [VASP] header, add MaxRecips=#### to specfy the number of recipients allowed per single MMS message instance. An additional performance note related to bulk MMS: When a NowSMS installation is used primarily for routing bulk MMS messages to external MMSC connections, it is recommended that the "MMSC Users" account list be left empty for maximum performance. (Otherwise, NowSMS performs a user account lookup for each MMS message recipient, which can diminish performance.) * MMSC: Update to fix upgrade problems for some customers where the "MMSC Users" list is empty after upgrading to NowSMS 2007. 2007-07-23 * MM7 - Add preliminary support for Digest Authentication when initiating MM7 connections to an external MMSC. No configuration is required. If a username/password is defined, NowSMS will initially attempt a connection with Basic Authentication, switching to Digest Authentication if requested by the MMSC. * SMS to E-mail - Add template setting to allow some minor changes to the standard SMS to e-mail format (From /Subject /Message Text) used by NowSMS. To change the SMS to e-mail format, edit MMSC.INI, and add an SMSEMailTemplate= setting to define a template for the SMS to e-mail format. The following replacement variables are supported in the template: @@FromAddress@@ (e-mail address of sender), @@FromName@@ (full name of sender), @@Subject@@ (subject of message), @@Text@@ (text of message). The default template is SMSEMailTemplate=@@FromAddress@@ /@@Subject@@ /@@Text@@ 2007-07-20: * SMS Gateway - Fix problem where HTTP "&Sender=" parameter did not support alphanumeric sender values. (Problem was introduced when source/destination port support was added for appending ":port" to a sender or recipient phone number. 2007-06-28: * SMPP - Fix for a problem where recent versions have not properly passed the "Address Range" parameter in SMPP connection tests from the configuration dialog. |