lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <9CE75E98979ABC448892B4284A51E252CAED62B8B7@kestrel.london.contextis.co.uk>
Date: Thu, 6 Jan 2011 10:11:53 +0000
From: Context IS - Disclosure <disclosure@...textis.co.uk>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Avaya Aura AES - Authorisation Bypass

===============================ADVISORY===============================
Systems Affected:    Avaya Aura AES (Application Enablement Services) 4.x.x 
Severity:            Medium
Category:            Authorisation Bypass
Author:              Context Information Security Ltd
Reported to vendor:  9th September 2010
Advisory Issued:     6th January 2011
===============================ADVISORY===============================
 
Description
-----------
The Avaya AES application suffers from an authorisation bypass vulnerability 
that allows a low level user to execute administrative functions.  
 
Analysis
--------
A flaw in the authorisation function validating whether a user is permitted 
to execute a desired function, allows low level users to execute some 
administrative functions leading to an authorisation bypass and privilege 
escalation vulnerability. 
 
Technologies Affected
------------------------------
 
Avaya Aura™ Application Enablement Services (4.x.x)
 
 
Vendor Response
-----------------------
 
https://support.avaya.com/css/P8/documents/100121813
 
 
Disclosure Timeline
--------------------------
9th September 2010 – Vendor Disclosure
10th December 2010 – Vendor Releases Advisory
 
 
Credits
---------
Ben Heinkel of Context Information Security Ltd
 
About Context Information Security
----------------------------------
 
Context Information Security is an independent security consultancy specialising 
in both technical security and information assurance services The company was 
founded in 1998. Its client base has grown steadily over the years, thanks in large 
part to personal recommendations from existing clients who value us as business 
partners. We believe our success is based on the value our clients place on our 
product-agnostic, holistic approach; the way we work closely with them to develop 
a tailored service; and to the independence, integrity and technical skills of our 
consultants.
The company’s client base now includes some of the most prestigious blue chip 
companies in the world, as well as government organisations.
 
The best security experts need to bring a broad portfolio of skills to the job, 
so Context has always sought to recruit staff with extensive business experience 
as well as technical expertise. Our aim is to provide effective and practical 
solutions, advice and support: when we report back to clients we always communicate 
our findings and recommendations in plain terms at a business level as well as in 
the form of an in-depth technical report.
 
Web:        www.contextis.co.uk
Email:      disclosure@...textis.co.uk
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ