Dear Grandstream Customers,
Firmware 1.0.0.35 for GXW4501/4502/4504 is now released as official. Here is the link to the release notes:
http://firmware.grandstream.com/Release_Note_GXW450x_1.0.0.35.pdf
Firmware 1.0.0.35 contains security fix. Please find security bulletin here:
Grandstream%20Security%20Bulletin_GS20-GXW001.pdf
145.66 KB
Summary
This security bulletin describes a vulnerability in the Grandstream GXW4501/4502/4504 series digital VoIP gateways that could allow malicious users to obtain user passwords.
Description
A recent security issue was discovered regarding SQL injections that could allow malicious unauthenticated users to retrieve the passwords of created users from the GXW4501/4502/4504 series digital VoIP gateways with firmware 1.0.0.32 or older. When certain actions are invoked on specific ports, the related modules will be vulnerable to the aforementioned SQL injections and brute force attacks.
After upgrading, please make sure to change web access passwords for ALL users in GXW450x web UI->Maintenance->User Management page, which includes super admin and admin users. It’s also highly recommended to change the username to be different from the previous username. If any unknown user exists in User Management page, please remove it immediately.
The firmware and release notes can be downloaded from:
http://www.grandstream.com/support/firmware
Please contact Grandstream Suppport should you have any issues. Thank you for your support for Grandstream products.
Technical Support
Grandstream Networks, Inc.
