Vulnerability Identified in the Avaya AES Management Console Platform
Today Digital Defense is publishing a high impact zero-day vulnerability identified in the Avaya Application Enablement Services (AES) Management Console platform discovered by Digital Defense Security Analysts. The Digital Defense Vulnerability Research Team would like to commend Avaya for their prompt handling and diligent attention to the issue and their work with Digital Defense engineering staff to understand, resolve and verify the fixes for these security issues.
Avaya has made a fix available. To obtain the patch visit:
Clients who currently use Digital Defense’s Frontline Vulnerability Manager™ platform can sweep for the presence of this issue by performing a full vulnerability assessment scan.
Details of the vulnerabilities are as follows:
Product: Application Enablement Services (AES) Management Console
Brief product description: Avaya AES is a server-based software solution providing enhanced telephony APIs, protocols and web services.
DDI-VRT-2017- 05: Remote Unauthenticated Root Command Injection
Vulnerability: Remote Unauthenticated Root Command Injection
Impact: A remote, unauthenticated user could leverage this flaw to gain complete control of an affected asset.
Details: The scripts at /aesvcs/loginErrorPage.xhtml and /aesvcs/login.xhtml do not properly sanitize user input before using it in shell commands. As a result, a remote unauthenticated user could leverage this flaw to inject arbitrary commands which will be executed in the context of the root user. A crafted POST request to these scripts with the "LoginForm%3AuserName" parameter populated with a command injection string can be used to exploit this vulnerability.
The Digital Defense team and Avaya engineers have rated this vulnerability as having a high security impact and recommend Avaya AES users patch their system at the earliest opportunity.