A vulnerability was found in Avaya IP Office one-X Portal 9.0 and classified as critical. Affected by this issue is an unknown functionality of the component UserConfigurationService. The manipulation with an unknown input leads to a memory corruption vulnerability. Using CWE to declare the problem leads to CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. Impacted is confidentiality, integrity, and availability. Avaya IP Office one-X Portal is a server application that allows IP Office users to control their phone and various telephony settings through a web browser.

The weakness was presented 03/13/2014 by Andrea Micalizzi (rgod) as ASA-2014-110 as confirmed advisory (Website) via ZDI (Zero Day Initiative). The advisory is shared for download at downloads.avaya.com. The public release was coordinated in cooperation with the vendor. The exploitation is known to be easy. The attack may be launched remotely. No form of authentication is required for exploitation. There are neither technical details nor an exploit publicly available.

Applying the patch SP2 is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability.

The vulnerability is also documented in the vulnerability database at X-Force (94498). zerodayinitiative.com is providing further details. See 67207 for similar entry.

Productinfo

Vendor

• Avaya

Name

• IP Office one-X Portal

Version

• 9.0

License

• commercial

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion