H.323 Endpoint Registration Weaknesses

Original Release Date: October 23, 2013
Last Revised: October 23, 2013
Number: ASA-2013-475
Risk Level: Medium
Advisory Version: 1.0
Advisory Status: Final

1. Overview:

Avaya Aura® Communication Manager has two configurable H.323 security profiles for the registration of H.323 endpoints. The default security profile, or "challenge" profile, has a weakness in how an endpoint is authenticated to Communication Manager. If an unauthorized user could capture a registration message sequence they could potentially use that information to authenticate as an endpoint. The second and more secure profile for H.323 endpoints, called "strong", provides a better level of security for registration, but this profile has a weakness of its own in how the initialization vector is generated by Avaya H.323 endpoints when registration occurs. This weakness could also potentially allow an unauthorized user to register as an endpoint if a registration sequence were captured. In the case of either profile, the ability for an unauthorized user to login as an endpoint is only possible if H.323 registration network traffic is captured between an H.323 endpoint and CLAN board or Communication Manager.

Avaya would like to thank Salim Neino and Samuel Neves of Kryptos Logic, and Jason Ostrom of Stora LLC (formerly a member of Avaya’s VIPER Lab) for responsibly reporting this issue as well as providing additional guidance during efforts to find a complete resolution.

2. Avaya System Products affected by H.323 Endpoint Registration weaknesses:

Product: Affected Version(s): Risk Level: Actions:
Avaya 96x0 IP Deskphones 3.1.4 and earlier Medium Upgrade firmware to 3.1.5 or later.
Avaya 96x1 IP Deskphones 6.2 with SP1 and earlier Medium Upgrade firmware to 6.2 SP2 or later.
Avaya Aura® Communication Manager All Medium Configure Communication Manager to use the "strong" H.323 security profile to ensure the most secure form of H.323 registration is enabled.
Avaya one-X® Communicator 6.1 with SP8 and earlier Medium Upgrade to 6.1 Service Pack 9 or later.

Recommended Actions for System Products:
Avaya strongly recommends following the networking and security best practices by implementing firewalls, ACLs, physical security or other appropriate access restrictions, specifically network traffic between the Avaya endpoints and call server. Though Avaya believes such restrictions should always be in place, risk to Avaya products and the surrounding network from this potential vulnerability may be mitigated by ensuring these practices are implemented until such time as an Avaya provided product update or the recommended Avaya action is applied. Further restrictions as deemed necessary based on the customer's security policies may be required during this interim period, but the System Product operating system or application should not be modified unless the change is approved by Avaya. Making changes that are not approved may void the Avaya product service contract.

The weaknesses in the "challenge" H.323 security profile can only be avoided by configuring Communication Manager to use the "strong" security profile. Please consult the Communication Manager Administration Guide on using the "strong" H.323 security profile. If attempting to switch to the "strong" profile it is also important to consider performance and capacity constraints on your system, as the "strong" profile has higher memory usage requirements.

Mitigating Factors:

When determining risk, Avaya takes into account many factors as outlined by Avaya's Security Vulnerability Classification Policy. The following table describes factors that mitigate the risk of specific vulnerabilities for affected Avaya products:

Vulnerability Mitigating Factors
H.323 Registration Weakness This is a medium risk due to the fact that network access is required in order to capture H.323 endpoint registration messages.

3. Additional Information:

Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial 1-800-242-2121, with any questions.

4. Disclaimer:

ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, INCIDENTAL, STATUTORY, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA.

5. Revision History:

V 1.0 - October 23, 2013 - Initial Statement issued.

Send information regarding any discovered security problems with Avaya products to either the contact noted in the product's documentation or securityalerts@avaya.com.

© 2013 Avaya Inc. All Rights Reserved. All trademarks identifying Avaya products by the ® or ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.