exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Avaya Aura AES Authorization Bypass

Avaya Aura AES Authorization Bypass
Posted Jan 6, 2011
Authored by Ben Heinkel

Avaya Aura AES suffers from an authorization bypass vulnerability.

tags | advisory, bypass
SHA-256 | cf596ceb98e9794fe26da9c067cf878a55087a32581760fdc487b617c54a3741

Avaya Aura AES Authorization Bypass

Change Mirror Download
===============================ADVISORY===============================
Systems Affected: Avaya Aura AES (Application Enablement Services) 4.x.x
Severity: Medium
Category: Authorisation Bypass
Author: Context Information Security Ltd
Reported to vendor: 9th September 2010
Advisory Issued: 6th January 2011
===============================ADVISORY===============================

Description
-----------
The Avaya AES application suffers from an authorisation bypass vulnerability
that allows a low level user to execute administrative functions.

Analysis
--------
A flaw in the authorisation function validating whether a user is permitted
to execute a desired function, allows low level users to execute some
administrative functions leading to an authorisation bypass and privilege
escalation vulnerability.

Technologies Affected
------------------------------

Avaya Aura™ Application Enablement Services (4.x.x)


Vendor Response
-----------------------

https://support.avaya.com/css/P8/documents/100121813


Disclosure Timeline
--------------------------
9th September 2010 – Vendor Disclosure
10th December 2010 – Vendor Releases Advisory


Credits
---------
Ben Heinkel of Context Information Security Ltd

About Context Information Security
----------------------------------

Context Information Security is an independent security consultancy specialising
in both technical security and information assurance services The company was
founded in 1998. Its client base has grown steadily over the years, thanks in large
part to personal recommendations from existing clients who value us as business
partners. We believe our success is based on the value our clients place on our
product-agnostic, holistic approach; the way we work closely with them to develop
a tailored service; and to the independence, integrity and technical skills of our
consultants.
The company’s client base now includes some of the most prestigious blue chip
companies in the world, as well as government organisations.

The best security experts need to bring a broad portfolio of skills to the job,
so Context has always sought to recruit staff with extensive business experience
as well as technical expertise. Our aim is to provide effective and practical
solutions, advice and support: when we report back to clients we always communicate
our findings and recommendations in plain terms at a business level as well as in
the form of an in-depth technical report.

Web: www.contextis.co.uk
Email: disclosure@contextis.co.uk
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close