Advisory ID: SYSS-2015-016
Product: Avaya one-X® Agent Release 2.5 SP2 Client Software 
Vendor: Avaya Inc.
Affected Version(s): 2.5.50022.0
Tested Version(s): 2.5.50022.0
Vulnerability Type: Cryptographic Issues (CWE-310) 
                    Use of Hard-coded Cryptographic Key (CWE-321)
Risk Level: Medium
Solution Status: Fixed
Vendor Notification: 2015-03-06
Solution Date: 2015-04-22
Public Disclosure: 2015-08-05
CVE Reference: Not yet assigned
Author of Advisory: Sven Freund (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Avaya one-X® Agent is an integrated telephony softphone solution, which
provides many communication functionalities, for instance, seamless
connectivity to at-home agents, remote agents, out-sourced agents,
contact center agents, and agents interacting with clients with speech
and hearing impairments.

The vendor Avaya describes the product as follows (see [1]):

Avaya one-X® Agent is a desktop application built specifically to meet
the needs of contact center agents and supervisors. Avaya one-X Agent
gives contact center users the tools they need to be more productive,
whether they're working in a headquarters location, in a branch office
or home office. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The encryption method for protecting user credentials of the softphone
Avaya one-X® is based on the symmetric block cipher Triple DES.

Password information like registrar login data or even domain user
accounts is encrypted using hard-coded secrets (cryptographic key and
initialization vector) contained within the file OneXAgentCore.dll. The
encrypted password information is stored within the configuration file
Settings.xml.

Thus, an attacker with access to the configuration file Settings.xml is
able to recover encrypted password information as cleartext and use it
for further attacks, for example to perform privilege escalation
attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The SySS GmbH developed a proof-of-concept software tool for recovering
cleartext passwords stored within the Avaya® configuration file
Settings.xml.

The following output exemplarily shows a successful password recovery:

C:\>DecAvayaXOne.exe
                _____________________________________________________________
               /    _____       _____ _____                                  \
              /    /  ___|     /  ___/  ___|                                  \
             |     \ `--. _   _\ `--.\ `--.                                    |
             |      `--. \ | | |`--. \`--. \                                   |
             |     /\__/ / |_| /\__/ /\__/ /                                   |
              \    \____/ \__, \____/\____/   ... decrypts Avaya Creds!       /
               \          __/ |                                              /
               /         |___/    __________________________________________/
              / _________________/
        (__) /_/
        (oo)
  /------\/
 / |____||
*  ||   ||
   ^^   ^^
SySS DecAvayaXOne v1.0 by Sven Freund - SySS GmbH (c) 2015


Usage: DecAvayaXOne.exe "<encrypted string>"

C:\>DecAvayaXOne.exe "r+pjyGmVsm8nYDY3/bmj+K89m8uS0VZSqQLxFcX0671DeD3wPGd33SYFq6
q35ncl/dXyjloEe08jiPKH8qKObQ=="

[+] Password Found: 1

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution: The patch was released on July 31st.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-03-06: Vulnerability reported to vendor

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product Web Site for Avaya Avaya one-X® Agent
    https://support.avaya.com/products/P0535/avaya-onex-agent
    
[2] SySS GmbH, SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

Security vulnerability found by Sven Freund of the SySS GmbH.

E-Mail: sven.freund (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sven_Freund.asc
Key fingerprint = DCDB 7627 C1E3 9CE8 62DF 2666 8A5F A853 415D 46DC

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en