SEC Consult found a vulnerability within the encryption process used for configuration files of the Avaya One-X communicator. Being able to encrypt arbitrary plaintext by abusing the client, it was possible to decrypt sensitive passwords stored in configuration files.
“As a global leader in delivering superior communications experiences, Avaya provides the most complete portfolio of software and services for multi-touch contact center and unified communications offered on premises, in the cloud, or a hybrid. Today’s digital world centers on communications enablement, and no other company is better positioned to do this than Avaya.”
The vendor provides a patch for the affected products which should be installed immediately.
SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues.
Weak Configuration File Encryption
During a quick security check, SEC Consult tested the tool AVAYA One-X Communicator. The AVAYA One-X communicator acts basically as a VOIP softphone. The AVAYA One-X communicator can be automatically configured using a configuration file that is automatically deployed (e.g. via Active Directory).
The configuration file contains certain parameters, which are “encrypted” using a proprietary algorithm from AVAYA. Using the AVAYA One-X communicator it is possible to generate arbitrary encrypted configuration files by logging into the application with invalid credentials.
After every subsequent login using invalid credentials, an encrypted configuration file containing the known plain text is created. Using cryptoanalysis and basically common sense it was easily possible to decrypt the automatically deployed configuration file, which contains certain parameters like Active Directory usernames and passwords, that can be used for further attacks.
To better understand the issue the attack scenario is going to be defined in the following chapter.
An attacker has access to a workstation with a fully deployed Avaya One-X communicator. The following configuration files are deployed to the device:
%appdata%/avaya/avaya one-X Communicator/config.xml %appdata%/avaya/avaya one-X Communicator/dirserver.xml
config.xml –> contains the user config (e.g. the encrypted password)
dirserver.xml –> contains the LDAP config for address books (e.g. encrypted LDAP user and password)
Proof of concept
Weak Configuration File Encryption
If a user logs into the Avaya One-X client, a configuration file located at %appdata%/avaya/avaya one-X Communicator/config.xml is automatically created/updated with the entered username and encrypted password from the last login attempt. The file is always updated, independently from the fact if the user/password combination is valid or not. This allows an attacker to create arbitrary cipher texts with known plaintexts by entering arbitrary password values and clicking the login button. By abusing this feature, a list of plain- and ciphertexts can be derived easily.
Using a simple brute-force approach all encrypted passwords can be obtained. As an example, an attacker could easily decrypt the LDAP user password stored in the dirserver.xml, which is automatically stored on all clients to use the address book. The obtained user can be used for further attacks.
The detailed proof of concept exploit has been removed from this advisory.
Vulnerable / tested versions
The following version has been tested: AVAYA One-x communicator 126.96.36.199
According to the vendor, all versions 6.2 through 6.2 SP12 are affected.
Vendor contact timeline
|2018-11-15:||Contacting vendor via firstname.lastname@example.org; no answer|
|2018-11-22||Requesting status update via email@example.com; no answer|
|2018-11-28||Contacting firstname.lastname@example.org; explaining them that|
email@example.com is unresponsive, despite they
have their own policy  explaining in which time-frame
they have to respond; requesting an alternative
|2018-11-29||Acknowledgement from Avaya; a fix is currently being developed|
|2018-12-11||Avaya: the fix will be released on January 15th.|
|2019-01-08||Avaya: handing over information concerning affected versions|
|2019-01-31||Avaya: The release will be postponed to February 11th.|
|2019-02-11||Avaya: Build has been submitted, ASA & CVE have been drafted|
|2019-02-13||Confirming the publication|
|2019-02-15||Avaya: ASA-2019-046 has been published and CVE-2019-7006 assigned|
|2019-03-07||SEC Consult advisory release|
No workaround available.
EOF W. Schober / @2019
Contact our local offices.
- TitleWeak Configuration File Encryption
- ProductAVAYA One-X communicator
- Vulnerable version6.2 through 6.2 SP12
- Fixed version6.2 SP13
- CVE numberCVE-2019-7006, ASA-2019-047
- ByW. Schober, F. Lienhart (Office Vienna) | SEC Consult Vulnerability Lab