Internet telephony company Avaya has patched a high-severity vulnerability in its Aura Application Enablement Services product that put phone call and API data running through the server at risk for interception.
Researchers at Digital Defense found a vulnerability where an attacker could, without authentication, abuse Remote Procedure Calls (RPC) into the server and modify input in such a way that they would be granted remote administrative access...
“Anything that passes through that server [would be at risk],” said Mike Cotton, vice president of research and development... “An attacker could send malformed input at the interfaces and take control over the service and any voice data... “Eventually you can get root command through remote compromise,” he said.
In an advisory updated June 14, Avaya said versions 6.3.1, 6.3.2, 6.3.3 and 7.x are affected. The company said that versions 6.3.1, 6.3.2 and 6.3.3 should install Super Patch 7 and apply AE Services 6.3.3.7 security hotfix. Users on 7.0.x should upgrade to 7.0.1 and install Super Patch 4 and AE Services 6.3.3.7 security hotfix as well. Users on 7.1 should apply AE Services 7.1.0.0.0 Security Hotfix.
“Certainly for enterprises that use the product, this is a high-impact vulnerability,” Cotton said. “The ultimate severity is how many business-critical apps are attached to this thing and where it’s sitting within the network infrastructure. This is something I would prioritize and move to the top of patching lists.” more