Weak Configuration File Encryption in AVAYA One-X communicator

Project Description

SEC Consult found a vulnerability within the encryption process used for configuration files of the Avaya One-X communicator. Being able to encrypt arbitrary plaintext by abusing the client, it was possible to decrypt sensitive passwords stored in configuration files.


Vendor description

“As a global leader in delivering superior communications experiences, Avaya provides the most complete portfolio of software and services for multi-touch contact center and unified communications offered on premises, in the cloud, or a hybrid. Today’s digital world centers on communications enablement, and no other company is better positioned to do this than Avaya.”

Source: https://www.avaya.com/en/

 

Business recommendation

The vendor provides a patch for the affected products which should be installed immediately.

SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues.

 

Vulnerability overview/description

Weak Configuration File Encryption

During a quick security check, SEC Consult tested the tool AVAYA One-X Communicator. The AVAYA One-X communicator acts basically as a VOIP softphone. The AVAYA One-X communicator can be automatically configured using a configuration file that is automatically deployed (e.g. via Active Directory).

The configuration file contains certain parameters, which are “encrypted” using a proprietary algorithm from AVAYA. Using the AVAYA One-X communicator it is possible to generate arbitrary encrypted configuration files by logging into the application with invalid credentials.

After every subsequent login using invalid credentials, an encrypted configuration file containing the known plain text is created. Using cryptoanalysis and basically common sense it was easily possible to decrypt the automatically deployed configuration file, which contains certain parameters like Active Directory usernames and passwords, that can be used for further attacks.

To better understand the issue the attack scenario is going to be defined in the following chapter.

 

Attack scenario

An attacker has access to a workstation with a fully deployed Avaya One-X communicator. The following configuration files are deployed to the device:

%appdata%/avaya/avaya one-X Communicator/config.xml
%appdata%/avaya/avaya one-X Communicator/dirserver.xml

config.xml –> contains the user config (e.g. the encrypted password)
dirserver.xml –> contains the LDAP config for address books (e.g. encrypted LDAP user and password)

 

Proof of concept

Weak Configuration File Encryption

If a user logs into the Avaya One-X client, a configuration file located at %appdata%/avaya/avaya one-X Communicator/config.xml is automatically created/updated with the entered username and encrypted password from the last login attempt. The file is always updated, independently from the fact if the user/password combination is valid or not. This allows an attacker to create arbitrary cipher texts with known plaintexts by entering arbitrary password values and clicking the login button. By abusing this feature, a list of plain- and ciphertexts can be derived easily.

Using a simple brute-force approach all encrypted passwords can be obtained. As an example, an attacker could easily decrypt the LDAP user password stored in the dirserver.xml, which is automatically stored on all clients to use the address book. The obtained user can be used for further attacks.

The detailed proof of concept exploit has been removed from this advisory.

 

Vulnerable / tested versions

The following version has been tested: AVAYA One-x communicator 6.2.10.3

According to the vendor, all versions 6.2 through 6.2 SP12 are affected.

 

Vendor contact timeline

2018-11-15:Contacting vendor via securityalerts@avaya.com; no answer
2018-11-22Requesting status update via securityalerts@avaya.com; no answer
2018-11-28Contacting kundensupport@avaya.com; explaining them that
securityalerts@avaya.com is unresponsive, despite they
have their own policy [1] explaining in which time-frame
they have to respond; requesting an alternative
security contact.
[1] https://downloads.avaya.com/css/P8/documents/100045520
2018-11-29Acknowledgement from Avaya; a fix is currently being developed
2018-12-11Avaya: the fix will be released on January 15th.
2019-01-08Avaya: handing over information concerning affected versions
2019-01-31Avaya: The release will be postponed to February 11th.
2019-02-11Avaya: Build has been submitted, ASA & CVE have been drafted
2019-02-13Confirming the publication
2019-02-15Avaya: ASA-2019-046 has been published and CVE-2019-7006 assigned
2019-03-07SEC Consult advisory release

 

Solution

The patched version, were the issues are addressed can be found at the following URL on the vendor website. The vendor also published an advisory (ASA-2019-046).

 

Workaround

No workaround available.

 

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

EOF W. Schober / @2019

 

Interested to work with the experts of SEC Consult? Send us your application.
Want to improve your own cyber security with the experts of SEC Consult?
Contact our local offices.
 

Project Details

  • TitleWeak Configuration File Encryption
  • ProductAVAYA One-X communicator
  • Vulnerable version6.2 through 6.2 SP12
  • Fixed version6.2 SP13
  • CVE numberCVE-2019-7006, ASA-2019-047
  • ImpactMedium
  • Homepagehttps://www.avaya.com/
  • Found11/2018
  • ByW. Schober, F. Lienhart (Office Vienna) | SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Blog. Blog

Back