lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <EF4C65F18BE6464B8E9DF3C212B6B29306B2CC57@cof110avexu1.global.avaya.com>
Date: Mon, 7 Mar 2005 18:19:04 -0700
From: "Walton, John Michael (John)" <jmwalton@...ya.com>
To: <grutz@...gojango.net>, <bugtraq@...urityfocus.com>,
	<m123303@...hmond.ac.uk>
Subject: RE: Avaya IP Office Phone Manager - Sensitive Information Cleartext Vulnerability


Avaya has finished our investigation of this issue and an Avaya Security
Advisory, ASA-2005-041, has been released.  The advisory can be obtained
from:

http://support.avaya.com/security  

or directly from:

http://support.avaya.com/elmodocs2/security/ASA-2005-041_Sensitive_Info_
Leak.pdf 

We expect that this advisory will be updated with available patches or
timeframes in the future.

For reference, links to Avaya's Vulnerability Classification system and
Avaya's Vulnerability Response Policy are below: 
http://support.avaya.com/elmodocs2/security/security_vulnerability_class
ification.pdf

http://support.avaya.com/elmodocs2/security/security_vulnerability_respo
nse.pdf

(URL may be wrapped)

-John Walton, CISSP
Lead Security Engineer
Product Security Support Team (PSST)
Avaya, Inc. 

-----Original Message-----
From: Walton, John Michael (John) 
Sent: Wednesday, February 23, 2005 5:17 PM
To: grutz@...gojango.net; bugtraq@...urityfocus.com;
m123303@...hmond.ac.uk
Subject: RE: Avaya IP Office Phone Manager - Sensitive Information
Cleartext Vulnerability

Avaya is aware and currently investigating this issue.  Once our
investigation is complete we will release an Avaya Security Advisory to
address the outlined concerns.  In the interim, we've asked Mitre to
assign a Common Vulnerability and Exposures (CVE) candidate number for
this issue.  They have assigned CAN-2005-0506:
 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0506

Congruent with generally acceptable security practices, Avaya recommends
that customers restrict remote and local access to their systems to
reduce risks.  Alternatively, customers may choose not to utilize the
"Remember save password" feature in order to prevent a user's password
from being stored in the Windows registry.  

Please note the Avaya Product Security Support Team (PSST) takes the
security of Avaya products seriously.  We would like to develop a
relationship with our customers and the public to encourage them to
forward vulnerabilities to us.  Please send information regarding any
discovered security problems with Avaya products to
securityalerts[at]avaya.com.  I, or someone on the PSST, will work
directly to validate the problem and coordinate a response; including an
acknowledgement for working with us to help protect customers.

John Walton, CISSP
Lead Security Engineer
Product Security Support Team (PSST)
Avaya, Inc.



Powered by blists - more mailing lists