Wind River has released a security advisory pertaining to their embedded version of Linux. This advisory contains vulnerabilities that may affect Avaya systems.
The LZW decompressor in the LWZReadByte function in giftoppm.c in the David Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte function in plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c in XPCE in SWI-Prolog 5.10.4 and earlier, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows remote attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2895. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2896 to this issue.
The gif_read_lzw function in filter/image-gif.c in CUPS 1.4.8 and earlier does not properly handle the first code word in an LZW stream, which allows remote attackers to trigger a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted stream, a different vulnerability than CVE-2011-2896. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-3170 to this issue.
The is_gpt_valid function in fs/partitions/efi.c in the Linux kernel before 2.6.39 does not check the size of an Extensible Firmware Interface (EFI) GUID Partition Table (GPT) entry, which allows physically proximate attackers to cause a denial of service (heap-based buffer overflow and OOPS) or obtain sensitive information from kernel heap memory by connecting a crafted GPT storage device. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-1776 to this issue.
A flaw in the Stream Control Transmission Protocol (SCTP) implementation could allow a remote attacker to cause a denial of service if the sysctl "net.sctp.addip_enable" variable was turned on. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-1573 to this issue.
The befs_follow_link function in fs/befs/linuxvfs.c in the Linux kernel before 3.1-rc3 does not validate the length attribute of long symlinks, which allows local users to cause a denial of service (incorrect pointer dereference and OOPS) by accessing a long symlink on a malformed Be filesystem. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2928 to this issue.
Integer underflow in the l2cap_config_req function in net/bluetooth/l2cap_core.c in the Linux kernel before 3.0 allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a small command-size value within the command header of a Logical Link Control and Adaptation Protocol (L2CAP) configuration request, leading to a buffer overflow. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2497 to this issue.
Double free vulnerability in libxml2 2.7.8 and other versions, as used in Google Chrome before 8.0.552.215 and other products, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to XPath handling. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-4494 to this issue.
Memory leak in pngwutil.c in libpng before 1.2.39beta5 allows context-dependent attackers to cause a denial of service (memory leak or segmentation fault) via a JPEG image containing an iCCP chunk with a negative embedded profile length. NOTE: this is due to an incomplete fix for CVE-2006-7244. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-5063 to this issue.
More information about these vulnerabilities can be found in the security advisories issued by Wind River (a login is required):
| Product: | Affected Version(s): | Risk Level: | Actions: |
|---|---|---|---|
| Avaya 96x1 IP Deskphones | 6.0.x thru 6.6.0 | Low | For SIP, upgrade to 7.0 or later. For H.323 and B189, upgrade to 6.6.1 or later. |
Recommended Actions for System Products:
Avaya strongly
recommends that customers follow
networking and security best practices by implementing
firewalls, ACLs, physical security or other appropriate
access restrictions. Though Avaya believes such
restrictions should always be in place, risk to Avaya
products and the surrounding network from this potential
vulnerability may be mitigated by ensuring these
practices are implemented until such time as an Avaya provided
product update or the recommended Avaya action is applied.
Further restrictions as deemed necessary based on the
customer's security policies may be required during this
interim period, but customers should not modify the System Product
operating system or application unless the change is approved by Avaya.
Making changes that are not approved may void the Avaya product service
contract.
When determining risk, Avaya takes into account many factors as outlined by Avaya's Security Vulnerability Classification Policy. The following table describes factors that mitigate the risk of specific vulnerabilities for affected Avaya products:
| Vulnerability | Mitigating Factors |
|---|---|
|
CVE-2011-2896 CVE-2011-3170 |
The risk is None because CUPS is not installed by default. |
CVE-2011-1776 CVE-2011-2928 |
The risk is Low because shell access is restricted. | CVE-2011-1573 | The risk is None because the variable "net.sctp.addip_enable" is not turned on by default. | CVE-2011-2497 | The risk is None because Bluetooth is not enabled with current 96x1 software. |
| CVE-2010-4494 | The risk is None because libxml2 is not installed by default. | CVE-2009-5063 | The risk is Low because it would require specific user actions that would impact only their phone. |
Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial 1-800-242-2121, with any questions.
ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, INCIDENTAL, STATUTORY, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA.
V 1.0 - November 10, 2011 - Initial Statement issued.
V 2.0 - May 5, 2016 - Updated 96x1 Affected Versions and Actions and change ASA status to Final.
Send information regarding any discovered security problems with Avaya products to either the contact noted in the product's documentation or securityalerts@avaya.com.
© 2011 Avaya Inc. All Rights Reserved. All trademarks identifying Avaya products by the ® or ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.