Internet telephony company Avaya has patched a high-severity vulnerability in its Aura Application Enablement Services product that put phone call and API data running through the server at risk for interception.
Researchers at Digital Defense found a vulnerability where an attacker could, without authentication, abuse Remote Procedure Calls (RPC) into the server and modify input in such a way that they would be granted remote administrative access.
“Anything that passes through that server [would be at risk],” said Mike Cotton, vice president of research and development. That would include, in additional to call and API data, control over configuration of telephony services, VoIP services and other things in the telephony stack, Cotton said.
“A lot of times, central server nodes have API keys for other systems they talk to,” Cotton said. “You can get control of that device and admin control of attached devices with the same privileges.”
The Aura Application Enablement Services software provides API interfaces primarily with IBM Lotus, Microsoft Office Communications Server, Lync and more. The company markets Aura as enterprise software having the ability to support hundreds of business critical applications. Cotton likened it to a Windows domain controller.
“[The vulnerability] is basically input manipulation through HTTP header injection,” Cotton said. “An attacker could send malformed input at the interfaces and take control over the service and any voice data that goes through it, or intercept anything else the server has the rights to do like reconfiguring telephony structure.
“Eventually you can get root command through remote compromise,” he said.
In an advisory updated June 14, Avaya said versions 6.3.1, 6.3.2, 6.3.3 and 7.x are affected. The company said that versions 6.3.1, 6.3.2 and 6.3.3 should install Super Patch 7 and apply AE Services 22.214.171.124 security hotfix. Users on 7.0.x should upgrade to 7.0.1 and install Super Patch 4 and AE Services 126.96.36.199 security hotfix as well. Users on 7.1 should apply AE Services 188.8.131.52.0 Security Hotfix.
Normally, the tool is firewalled off from the public network, Cotton said.
“Because it’s an API connector node, in some cases you do see external evidence of them,” Cotton said. “A lot of people put API nodes on the network boundaries, but this is the master API web interface; most of the time, deployments are local.”
Enterprises can run a number of telephony related applications through the Avaya tool, such as voicemail control systems or systems with a VoIP interface and no hardware may run through it in order to gain Tier 1 VoIP capabilities, Cotton said.
“Certainly for enterprises that use the product, this is a high-impact vulnerability,” Cotton said. “The ultimate severity is how many business-critical apps are attached to this thing and where it’s sitting within the network infrastructure. This is something I would prioritize and move to the top of patching lists.”