Transport Layer Security Renegotiation Vulnerability

Original Release Date: December 9, 2009
Last Revised: January 4, 2011
Number: ASA-2009-548
Risk Level: Low
Advisory Version: 2.0
Advisory Status: Final

1. Overview:

A vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols has been discovered which could allow someone to inject themselves into an authenticated TLS/SSL communications path as part of a man-in-the-middle attack. This would allow an attacker to inject arbitrary content as the client, which would then be treated by the server as if the data was from the client. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-3555 to this issue.

More information about this vulnerability may be found on the following sites:

Various Avaya system products are vulnerable, as they use TLS/SSL in components such as Web services, VoIP communication and other services. Due to the limited conditions that must exist for this issue to be taken advantage of, Avaya has classified this as a Low risk vulnerability.

This advisory has been updated with links to existing Avaya Security Advisories that cover Operating System and third party vendor fixes to TLS/SSL services utilized by Avaya products. Since this vulnerability is at the protocol level, affected Avaya products will continue to update any fixed TLS/SSL libraries as they become available from Operating System and third party vendors. Please refer to new Avaya Security Advisories covering related TLS/SSL vulnerabilities should they be released in the future.

2. Avaya System Products affected by the Transport Layer Security Renegotiation Vulnerability:

Product: Affected Version(s): Risk Level: Actions:
Avaya Aura™ Application Enablement Services All Low Please refer to the list of Avaya Security Advisories related to TLS/SSL negotiation issues in the "Recommended Actions" section.
Avaya CMS All Low Please refer to the list of Avaya Security Advisories related to TLS/SSL negotiation issues in the "Recommended Actions" section.
Avaya Aura™ Communication Manager All Low Please refer to the list of Avaya Security Advisories related to TLS/SSL negotiation issues in the "Recommended Actions" section.
Avaya Integrated Management Suite (IMS) All Low Please refer to the list of Avaya Security Advisories related to TLS/SSL negotiation issues in the "Recommended Actions" section.
Avaya Intuity AUDIX LX All Low See recommended actions below. This advisory will not be addressed by IALX as no further releases are planned.
Avaya IR All Low Please refer to the list of Avaya Security Advisories related to TLS/SSL negotiation issues in the "Recommended Actions" section.
Avaya Meeting Exchange All Low Please refer to the list of Avaya Security Advisories related to TLS/SSL negotiation issues in the "Recommended Actions" section.
Avaya Message Networking All Low Please refer to the list of Avaya Security Advisories related to TLS/SSL negotiation issues in the "Recommended Actions" section.
Avaya Messaging Application Server All Low Please refer to the list of Avaya Security Advisories related to TLS/SSL negotiation issues in the "Recommended Actions" section.
Avaya Messaging Storage Server All Low Please refer to the list of Avaya Security Advisories related to TLS/SSL negotiation issues in the "Recommended Actions" section.
Avaya Proactive Contact All Low Please refer to the list of Avaya Security Advisories related to TLS/SSL negotiation issues in the "Recommended Actions" section.
Avaya Aura™ Session Manager All Low Please refer to the list of Avaya Security Advisories related to TLS/SSL negotiation issues in the "Recommended Actions" section.
Avaya Aura™ SIP Enablement Services All Low Please refer to the list of Avaya Security Advisories related to TLS/SSL negotiation issues in the "Recommended Actions" section.
Avaya Aura™ System Manager All Low Please refer to the list of Avaya Security Advisories related to TLS/SSL negotiation issues in the "Recommended Actions" section.
Avaya Aura™ System Platform All Low Please refer to the list of Avaya Security Advisories related to TLS/SSL negotiation issues in the "Recommended Actions" section.
Avaya Voice Portal All Low Please refer to the list of Avaya Security Advisories related to TLS/SSL negotiation issues in the "Recommended Actions" section.

Recommended Actions for System Products:
Avaya strongly recommends that customers follow networking and security best practices by implementing firewalls, ACLs, physical security or other appropriate access restrictions. Though Avaya believes such restrictions should always be in place; risk to Avaya's product and the surrounding network from this potential vulnerability may be mitigated by ensuring these practices are implemented until such time as a product update is available. Further restrictions as deemed necessary based on the customer's security policies may be required during this interim period.

Avaya Security Advisories covering System Products affected by TLS/SSL renegotiation vulnerabilities (as of January 4th, 2011) are:

3. Avaya Software-Only Products:

Avaya software-only products operate on general-purpose operating systems. Occasionally vulnerabilities may be discovered in the underlying operating system or applications that come with the operating system. These vulnerabilities often do not impact the software-only product directly but may threaten the integrity of the underlying platform.

In the case of this advisory, the following Avaya software-only products may be installed on systems which contain TLS/SSL-based services.

Product: Actions:
Avaya Agent Access See recommended actions below.
Avaya Aura™ Application Enablement Services See recommended actions below.
Avaya Basic Call Management System Reporting Desktop - client See recommended actions below.
Avaya Basic Call Management System Reporting Desktop - server See recommended actions below.
Avaya Call Management Server (CMS) Supervisor See recommended actions below.
Avaya CallVisor ASAI LAN (CVLAN) Client See recommended actions below.
Avaya Computer Telephony See recommended actions below.
Avaya Contact Center Express (ACCE) See recommended actions below.
CVLAN See recommended actions below.
Avaya Customer Interaction Express (CIE) See recommended actions below.
Avaya Enterprise Manager See recommended actions below.
Avaya Integrated Management See recommended actions below.
Avaya Interaction Center (IC) See recommended actions below.
Avaya Interaction Center (IC) - Voice Quick Start See recommended actions below.
Avaya IP Agent See recommended actions below.
Avaya IP Softphone See recommended actions below.
Avaya Modular Messaging See recommended actions below.
Avaya Network Reporting See recommended actions below.
Avaya OctelAccess(r) Server See recommended actions below.
Avaya OctelDesignerTM See recommended actions below.
Avaya Operational Analyst See recommended actions below.
Avaya Outbound Contact Management See recommended actions below.
Avaya Speech Access See recommended actions below.
Avaya Unified Communication Center (UCC) See recommended actions below.
Avaya Unified Messenger (r) See recommended actions below.
Avaya Visual Messenger TM See recommended actions below.
Avaya Visual Vector Client See recommended actions below.
Avaya Voice Portal See recommended actions below.
Avaya VPNmanagerTM Console See recommended actions below.
Avaya Web Messenger See recommended actions below.

Recommended Actions for Software-Only Products:
In the event that systems with any of these products installed utilize affected components, Avaya recommends that customers follow recommended actions from the underlying operating system vendor to obtain a fix when available.

4. Additional Information:

Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial 1-800-242-2121, with any questions.

5. Disclaimer:

ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, INCIDENTAL, STATUTORY, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA.

6. Revision History:

V 1.0 - December 9, 2009 - Initial Statement issued.
V 2.0 - January 4, 2011 - Updated advisory with currently known fix information and finalized.

Send information regarding any discovered security problems with Avaya products to either the contact noted in the product's documentation or securityalerts@avaya.com.

© 2009 Avaya Inc. All Rights Reserved. All trademarks identified by the ® or ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.