Weak Configuration File Encryption In AVAYA One-X Communicator

Title

Weak Configuration File Encryption

Product

AVAYA One-X communicator

Vulnerable Version

6.2 through 6.2 SP12

Fixed Version

6.2 SP13

CVE Number

CVE-2019-7006, ASA-2019-047

Impact

medium

Homepage

https://www.avaya.com/

Found

01.11.2018

By

W. Schober, F. Lienhart (Office Vienna) | SEC Consult Vulnerability Lab

SEC Consult found a vulnerability within the encryption process used for configuration files of the Avaya One-X communicator. Being able to encrypt arbitrary plaintext by abusing the client, it was possible to decrypt sensitive passwords stored in configuration files.

Vendor Description

“As a global leader in delivering superior communications experiences, Avaya provides the most complete portfolio of software and services for multi-touch contact center and unified communications offered on premises, in the cloud, or a hybrid. Today’s digital world centers on communications enablement, and no other company is better positioned to do this than Avaya.”

Source: https://www.avaya.com/en/

 

Business Recommendation

The vendor provides a patch for the affected products which should be installed immediately.

SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues.

 

Vulnerability Overview / Description

Weak Configuration File Encryption

During a quick security check, SEC Consult tested the tool AVAYA One-X Communicator. The AVAYA One-X communicator acts basically as a VOIP softphone. The AVAYA One-X communicator can be automatically configured using a configuration file that is automatically deployed (e.g. via Active Directory).

The configuration file contains certain parameters, which are “encrypted” using a proprietary algorithm from AVAYA. Using the AVAYA One-X communicator it is possible to generate arbitrary encrypted configuration files by logging into the application with invalid credentials.

After every subsequent login using invalid credentials, an encrypted configuration file containing the known plain text is created. Using cryptoanalysis and basically common sense it was easily possible to decrypt the automatically deployed configuration file, which contains certain parameters like Active Directory usernames and passwords, that can be used for further attacks.

To better understand the issue the attack scenario is going to be defined in the following chapter.

 

Attack Scenario

An attacker has access to a workstation with a fully deployed Avaya One-X communicator. The following configuration files are deployed to the device:

%appdata%/avaya/avaya one-X Communicator/config.xml
%appdata%/avaya/avaya one-X Communicator/dirserver.xml

config.xml –> contains the user config (e.g. the encrypted password)
dirserver.xml –> contains the LDAP config for address books (e.g. encrypted LDAP user and password)

 

Proof Of Concept

Weak Configuration File Encryption

If a user logs into the Avaya One-X client, a configuration file located at %appdata%/avaya/avaya one-X Communicator/config.xml is automatically created/updated with the entered username and encrypted password from the last login attempt. The file is always updated, independently from the fact if the user/password combination is valid or not. This allows an attacker to create arbitrary cipher texts with known plaintexts by entering arbitrary password values and clicking the login button. By abusing this feature, a list of plain- and ciphertexts can be derived easily.

Using a simple brute-force approach all encrypted passwords can be obtained. As an example, an attacker could easily decrypt the LDAP user password stored in the dirserver.xml, which is automatically stored on all clients to use the address book. The obtained user can be used for further attacks.

The detailed proof of concept exploit has been removed from this advisory.

 

Vulnerable / Tested Versions

The following version has been tested: AVAYA One-x communicator 6.2.10.3

According to the vendor, all versions 6.2 through 6.2 SP12 are affected.

Vendor Contact Timeline

2018-11-15 Contacting vendor via securityalerts@avaya.com; no answer
2018-11-22 Requesting status update via securityalerts@avaya.com; no answer
2018-11-28 Contacting kundensupport@avaya.com; explaining them that securityalerts@avaya.com is unresponsive, despite they have their own policy [1] explaining in which time-frame they have to respond; requesting an alternative security contact. [1] https://downloads.avaya.com/css/P8/documents/100045520
2018-11-29 Acknowledgement from Avaya; a fix is currently being developed
2018-12-11 Avaya: the fix will be released on January 15th.
2019-01-08 Avaya: handing over information concerning affected versions
2019-01-31 Avaya: The release will be postponed to February 11th.
2019-02-11 Avaya: Build has been submitted, ASA & CVE have been drafted
2019-02-13 Confirming the publication
2019-02-15 Avaya: ASA-2019-046 has been published and CVE-2019-7006 assigned
2019-03-07 SEC Consult advisory release

Solution

The patched version, were the issues are addressed can be found at the following URL on the vendor website. The vendor also published an advisory (ASA-2019-046).

 

Workaround

No workaround available.

 

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

EOF W. Schober / @2019

Contact

Interested to work with the experts of SEC Consult? Send us your application.
Want to improve your own cyber security with the experts of SEC Consult? Contact our local offices.
Contact
Back