Vulnerability Note VU#690315

Avaya Secure Access Link (SAL) Gateway information disclosure vulnerability

Original Release date: 29 Jul 2011 | Last revised: 29 Jul 2011

Overview

Avaya Secure Access Link (SAL) gateway releases 1.5, 1.8, and 2.0 have an information disclosure vulnerability in the default install.

Description

According to Avaya's Product Support Notice PSN003314u [PDF]:

"On installation of SAL Gateway with the default properties provided along with the installer, the Secondary Core Server URL and the Remote Server URL points to the secavaya.com and secaxeda.com respectively which are invalid public domain servers and not owned by Avaya. These servers resolve to invalid domains and pose a security threat. Secondary Core Server URL should be same as the primary Core Server URL and Secondary Remote Server URL should be same as the primary Remote Server URL."

Impact

Information from the SAL gateway, such as alarms or logs, may be sent to secavaya.com and secaxeda.com email addresses.

Solution

The Avaya Product Support Notice PSN003314u [PDF] states:

"To resolve this problem, please do the following steps:

  1. Login to the SAL Gateway UI with the user having either Security Administrator or Administrator role.
  2. Navigate to the Administration section of the SAL Gateway menu, click on Core Server.
  3. In the Secondary Core Server field, enter the host name same as the primary Core Server hostname for the secondary Secure Access Concentrator Core Server.
  4. In the Port field, enter the port number same as the primary Core Server port number for the secondary Secure Access Concentrator Core Server.
  5. Click on Apply.
  6. Navigate to the Administration section of the SAL Gateway menu, click Remote Server.
  7. In the Secondary Remote Server field, enter the hostname same as the primary Remote Server hostname for the secondary Secure Access Concentrator Remote Server.
  8. In the Port field, enter the port number same as the primary Remote Server port number for the secondary Secure Access Concentrator Remote Server.
  9. Click on Apply.
  10. Logout from the Gateway UI."

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Avaya, Inc.Affected27 Jul 201128 Jul 2011
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thank you to the reporter who wishes to remain anonymous.

This document was written by Jared Allar.

Other Information

  • CVE IDs: Unknown
  • Date Public: 16 May 2011
  • Date First Published: 29 Jul 2011
  • Date Last Updated: 29 Jul 2011
  • Severity Metric: 0.91
  • Document Revision: 11

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.