Avaya Support Forums

Avaya Support Forums (http://support.avaya.com/forums/index.php)
-   Avaya Aura & Unified Communications (http://support.avaya.com/forums/forumdisplay.php?f=2)
-   -   CVE-2015-0235 GHOST vulnerability (http://support.avaya.com/forums/showthread.php?t=5958)

jmunfo 01-28-2015 09:03 AM

CVE-2015-0235 GHOST vulnerability
 
Is anyone aware of the impact that CVE-2015-0235 GHOST vulnerability has on Avaya CM products?

As you may have already heard, a high severity vulnerability affecting Linux GNU C Library (glibc) was announced this morning. The vulnerability known as GHOST (CVE-2015-0235) affects many systems built on Linux starting with glibc-2.2 as well as Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7 and Ubuntu 12.04, and allows attackers to remotely take control of an entire system without having any prior knowledge of system credentials.

We are recommending all Qualys customers take immediate action by scanning with the Qualys Vulnerability Management (VM) cloud solution as QID 123191. You can get reports detailing enterprise-wide exposure during your next scanning cycle to get visibility into the impact within your organization and efficiently track the remediation progress of this serious vulnerability. If you think you may be affected, patches are available from all of the Linux vendors starting today.

For more information on GHOST, follow the conversation on our Laws of Vulnerabilities blog.


mlombardi1 01-28-2015 11:28 AM

Most enterprise Avaya products run on a modified RHEL or CentOS load, so I'd wager Avaya is highly vulnerable. Let's see how quickly we see remediation released.

willamsj 01-29-2015 08:13 AM

https://downloads.avaya.com/css/P8/documents/101006648

Apparently Avaya's "final" advisory status is that there are no RHEL Avaya products, therefore no vulnerability.

I opened a case with Avaya support to get attention to this and seek clarification.

walmsls 01-29-2015 11:28 AM

Thank you for the link to the ASA. I too opened a Support Request with Avaya for validation because a zdnet article (link below) list's several linux distros as affected, CentOS included which Avaya uses as the OS.

http://www.zdnet.com/article/critica...ty-hole-found/

willamsj 01-29-2015 11:50 AM

Here's what I've found so far-- still waiting for a response from the BBE who took the case-- he indicated that he needs to research.

Checking 7.6 and 7.5 Linux servers, the RHEL OS release is 5.3. According to RedHat's publication, that release is not listed as affected.

What is uncertain in my mind is whether this is because the release is no longer supported by RH and therefore they didn't even test for the vulnerability, or if it was tested and has been verified as not affected (perhaps because the earlier release of the library does not contain the vulnerability.)

willamsj 01-29-2015 12:19 PM

https://access.redhat.com/articles/1332213
This indicates that all releases of RHEL are affected, however there are no fixes listed from RH for release 5.3.

I've passed this information on to Avaya.

willamsj 01-29-2015 12:41 PM

FYI

CS1K 7.5 and 7.65 both use RHEL 5.3
According to a ZDNET article, all glibc release from 2.2 through 2.17 are affected by this vulnerability.
7.65 uses glibc 2.5.

Therefore the CS1K Linux systems are likely vulnerable.

However, Avaya has not completed their analysis and they have indicated that the bulletin that has been released does not cover this CS1K products (therefore there is no security advisory available for CS1K products, not even a preliminary one.)

Additionally, it is unlikely that the CM product has been evaluated either.

mlombardi1 01-30-2015 06:52 AM

Checked the OS and library versions on the following products. Looks like everything is vulnerable except SBC-E 6.2.

SAL 2.2 SP1 on VMware:
CentOS release 5.8 (Final)
glibc-2.5-81.el5_8.7
glibc-2.5-81.el5_8.7


CM 6.3 SP7:
Red Hat Enterprise Linux Server release 5.3 (Tikanga)
glibc-2.5-107.el5_9.4.AV1

System Manager 6.3 SP6:
CentOS release 5.6 (Final)
glibc-2.5-118.el5_10.2
glibc-2.5-118.el5_10.2


Session Manager 6.3 SP6:
Enterprise Linux Server release 6.2 (Feb 07 11:23:30 MST 2013)
glibc-2.12-1.80.el6_3.5.x86_64
glibc-2.12-1.80.el6_3.5.i686


AES 6.3.1:
Red Hat Enterprise Linux Server release 5.8 (Tikanga)
glibc-2.5-81.el5_8.7

Utility Server 6.3.3.0.20:
CentOS release 5.7 (Final)
glibc-2.5-118

WebLM 6.3.2 on VMware:
CentOS release 5.6 (Final)
glibc-2.5-107.el5_9.4
glibc-2.5-107.el5_9.4


CMS R17 on VMware:
Red Hat Enterprise Linux Server release 6.3 (Santiago)
glibc-2.12-1.80.el6.x86_64
glibc-2.12-1.80.el6.i686


SBC-E 6.2.1.Q18:
MontaVista 4.2.0-16.0.25.0801283 2008-06-17
package glibc is not installed

System Platform 6.3.1:
CentOS release 5.9 (Final)
glibc-2.5-107.el5_9.5.x86_64
glibc-2.5-107.el5_9.5.i686


Aura Messaging 6.3.1 SP0:
Red Hat Enterprise Linux Server release 5.3 (Tikanga)
glibc-2.5-81.el5_8.7.AV1

jmunfo 02-02-2015 02:13 AM

glibc security update (RHSA-2015-0099)
 
Avaya have feedback the following:

glibc security update (RHSA-2015-0099)

Original Release Date: January 28, 2015
Last Revised: January 28, 2015
Number: ASA-2015-047
Risk Level: None
Advisory Version: 1.0
Advisory Status: Final

1. Overview:

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.
A heap-based buffer overflow was found in glibc's __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2015-0235 to this issue.
No Avaya system products are vulnerable, as the affected RHEL AUS, EUS and LL Operating Systems are not installed by default.
More information about these vulnerabilities can be found in the security advisory issued by Red Hat:
2. Avaya System Products using a RHEL AUS, EUS or LL Operating System: None

3. Avaya Software-Only Products:

Avaya software-only products operate on general-purpose operating systems. Occasionally vulnerabilities may be discovered in the underlying operating system or applications that come with the operating system. These vulnerabilities often do not impact the software-only product directly but may threaten the integrity of the underlying platform.
In the case of this advisory Avaya software-only products are not affected by the vulnerability directly but the underlying Linux platform may be. Customers should determine on which Linux operating system the product was installed and then follow that vendor's guidance.
Product: Actions: Avaya Aura® Application Enablement Services Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the AES application. Avaya IQ Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the Avaya IQ application. CVLAN Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the CVLAN application. Avaya Aura® Experience Portal Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the EP application. Avaya Integrated Management Suite (IMS) Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the IMS application. Avaya Aura® Presence Services Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the PS application.
Recommended Actions for Software-Only Products:
In the event that the affected package is installed, Avaya recommends following recommended actions supplied by Red Hat regarding their Enterprise Linux.

4. Additional Information:

Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial 1-800-242-2121, with any questions.
5. Disclaimer:

ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION, IS PROVIDED "AS IS", AND IS APPLICABLE ONLY TO PRODUCT VERSIONS ELIGIBLE FOR MANUFACTURER SUPPORT IN ACCORDANCE WITH AVAYA PRODUCT LIFE CYCLE POLICY. AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, INCIDENTAL, STATUTORY, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA.
6. Revision History:

V 1.0 - January 28, 2015 - Initial Statement issued.
Avaya customers or Business Partners should report any security issues found with Avaya products via the standard support process.
Independent security researchers can contact Avaya at securityalerts@avaya.com.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.

willamsj 02-02-2015 06:09 AM

Quote:

From: Ananthakrishnan, Ganesh (Ganesh) On Behalf Of Product Security Alerts
Sent: Thursday, January 29, 2015 11:29 AM
To: redacted; Product Security Alerts
Subject: RE: RHSA-2015-0099


Avaya products do not use RHEL AUS, EUS or LL Operating Systems. Avaya uses RHEL and an advisory for RHEL5 and RHEL6 will be published as soon as we finish investigating the impact of this, on our products.

Ganesh
PSST (Product Security Support Team)
10 character minimum

walmsls 02-19-2015 03:45 PM

I finally got a reply from the backbone engineer working on my support request. Here is their reply.

Below are the links for the Avaya Security Announcements that have been released in regards to CVE-2015-0235 glibc vulnerability (“street name” of GHOST).

RHEL4: ASA-2015-072 – https://downloads.avaya.com/css/P8/documents/101006705
RHEL5 ASA-2015-070 - https://downloads.avaya.com/css/P8/documents/101006702
RHEL6 ASA-2015-071 - https://downloads.avaya.com/css/P8/documents/101006704

Depending on the products that you are currently using if they are at a supported software for example CM 6.3 the fixes are due in the next Security Pack which is expected by the end of March. This can change depending on testing, release dates changing, etc.

If the Product Software is End of Support there will be no fixes released and the software will need to be upgraded in order to receive the security fix.


Vulnerability for CVE-2015-0235 = MEDIUM

The risk is rated Medium for all listed products because the exploit would require local account access. Remote attack may not be possible, because either the DNS server is not running or the products sanitize the input and provide name resolution to trusted hosts only within the enterprise. Additionally, the known affected programs or utilities are not used and additional protection mechanisms are in place to protect the products from remote exploit.

So, it looks like wait for the end of March for a security patch...


All times are GMT -7. The time now is 02:35 AM.