Avaya SES Authentication Bypass Vulnerability and Information Disclosure Weakness

Bugtraq ID:	30758
Class:	Design Error
CVE:	CVE-2008-3778 CVE-2008-3777
Remote:	Yes
Local:	Yes
Published:	Aug 19 2008 12:00AM
Updated:	Jul 05 2016 10:01PM
Credit:	Avaya
Vulnerable:	Avaya S8300 CM 5 Avaya Aura SIP Enablement Services 5.0
Not Vulnerable:

Avaya SES Authentication Bypass Vulnerability and Information Disclosure Weakness

Avaya SES (SIP Enablement Services) server is prone to an authentication-bypass vulnerability because it fails to adequately protect administrative areas within the application. The information-disclosure weakness is caused by the application writing sensitive information to logs.

Attackers can exploit the authentication-bypass issue to render the server unusable for a period. Exploiting the information-disclosure weakness may give the attacker unauthorized access to login credentials.

Avaya SES 5.0 and CM 5.0 on S8300C with SES enabled are vulnerable; other versions may also be affected.

Avaya SES Authentication Bypass Vulnerability and Information Disclosure Weakness

Attackers can exploit these issues by using readily available tools.

Avaya SES Authentication Bypass Vulnerability and Information Disclosure Weakness

Solution:
The vendor has supplied fixes and an advisory. Please see the references for more information.

Avaya SES Authentication Bypass Vulnerability and Information Disclosure Weakness

References:

• ASA-2008-347 - Remote Administration Login Failure Vulnerabilities in Avaya SIP (Avaya)
  
• Avaya Homepage (Avaya Inc.)
  
• SIP Enablement Services Homepage (Avaya)