Avaya one-X Agent 2.5 SP2 Cryptography Issues

2015.09.04
Credit: Sven Freund
Risk: Medium
Local: Yes
Remote: No
CVE: N/A

Advisory ID: SYSS-2015-016 Product: Avaya one-X® Agent Release 2.5 SP2 Client Software Vendor: Avaya Inc. Affected Version(s): 2.5.50022.0 Tested Version(s): 2.5.50022.0 Vulnerability Type: Cryptographic Issues (CWE-310) Use of Hard-coded Cryptographic Key (CWE-321) Risk Level: Medium Solution Status: Fixed Vendor Notification: 2015-03-06 Solution Date: 2015-04-22 Public Disclosure: 2015-08-05 CVE Reference: Not yet assigned Author of Advisory: Sven Freund (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Avaya one-X® Agent is an integrated telephony softphone solution, which provides many communication functionalities, for instance, seamless connectivity to at-home agents, remote agents, out-sourced agents, contact center agents, and agents interacting with clients with speech and hearing impairments. The vendor Avaya describes the product as follows (see [1]): Avaya one-X® Agent is a desktop application built specifically to meet the needs of contact center agents and supervisors. Avaya one-X Agent gives contact center users the tools they need to be more productive, whether they're working in a headquarters location, in a branch office or home office. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The encryption method for protecting user credentials of the softphone Avaya one-X® is based on the symmetric block cipher Triple DES. Password information like registrar login data or even domain user accounts is encrypted using hard-coded secrets (cryptographic key and initialization vector) contained within the file OneXAgentCore.dll. The encrypted password information is stored within the configuration file Settings.xml. Thus, an attacker with access to the configuration file Settings.xml is able to recover encrypted password information as cleartext and use it for further attacks, for example to perform privilege escalation attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The SySS GmbH developed a proof-of-concept software tool for recovering cleartext passwords stored within the Avaya® configuration file Settings.xml. The following output exemplarily shows a successful password recovery: C:>DecAvayaXOne.exe _____________________________________________________________ / _____ _____ _____ / / ___| / ___/ ___| | `--. _ _ `--. `--. | | `--. | | |`--. `--. | | /__/ / |_| /__/ /__/ / | ____/ __, ____/____/ ... decrypts Avaya Creds! / __/ | / / |___/ __________________________________________/ / _________________/ (__) /_/ (oo) /------/ / |____|| * || || ^^ ^^ SySS DecAvayaXOne v1.0 by Sven Freund - SySS GmbH (c) 2015 Usage: DecAvayaXOne.exe "<encrypted string>" C:>DecAvayaXOne.exe "r+pjyGmVsm8nYDY3/bmj+K89m8uS0VZSqQLxFcX0671DeD3wPGd33SYFq6 q35ncl/dXyjloEe08jiPKH8qKObQ==" [+] Password Found: 1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The patch was released on July 31st. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2015-03-06: Vulnerability reported to vendor ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product Web Site for Avaya Avaya one-X® Agent https://support.avaya.com/products/P0535/avaya-onex-agent [2] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: Security vulnerability found by Sven Freund of the SySS GmbH. E-Mail: sven.freund (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sven_Freund.asc Key fingerprint = DCDB 7627 C1E3 9CE8 62DF 2666 8A5F A853 415D 46DC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top