Vulnerability CVE-2008-6708 - CERT Civis.Net

Vulnerability Name:

CVE-2008-6708 (CCN-43390)

Assigned:

2008-06-25

Published:

2008-06-25

Updated:

2017-08-17

Summary:

Unspecified vulnerability in the Web management interface in Avaya SIP Enablement Services (SES) 3.x and 4.0, as used with Avaya Communication Manager 3.1.x and 4.x, allows remote authenticated administrators to gain root privileges via unknown vectors related to configuration of "data viewing or restoring parameters."

CVSS v3 Severity:

9.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

9.0 High (CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
7.3 High (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:U/RC:UR)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
7.3 High (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:U/RC:UR)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2008-6708

Source: OSVDB
Type: UNKNOWN
46604

Source: CCN
Type: SA30751
Avaya SIP Enablement Services Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
30751

Source: CONFIRM
Type: Vendor Advisory
http://support.avaya.com/elmodocs2/security/ASA-2008-268.htm

Source: CCN
Type: ASA-2008-268
Additional Input Validation Vulnerabilities in Avaya SES SIP Server

Source: CCN
Type: Avaya Web site
Telecommunication Systems by Avaya: Business Telecommunications for your Company

Source: CCN
Type: OSVDB ID: 46604
Avaya SIP Enablement Services (SES) Web Admin Interface Parameter Restoration Privilege Escalation

Source: BID
Type: UNKNOWN
29939

Source: CCN
Type: BID-29939
Avaya Communication Manager Multiple Security Vulnerabilities

Source: CCN
Type: VoIP Security Advisory, 2008-06-25
SIP Enablement Service View/Restore Data Configuration Privilege Elevation

Source: MISC
Type: UNKNOWN
http://www.voipshield.com/research-details.php?id=77

Source: VUPEN
Type: UNKNOWN
ADV-2008-1943

Source: XF
Type: UNKNOWN
avaya-ses-parameters-code-execution(43390)

Source: XF
Type: UNKNOWN
avaya-ses-parameters-code-execution(43390)

Vulnerable Configuration:

Configuration 1:

cpe:/a:avaya:communication_manager:3.1:*:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:3.1.1:*:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:3.1.2:*:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:3.1.3:*:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:3.1.4:*:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:3.1.5:*:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:4.0:*:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:4.0.1:*:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:4.0.1:sp15215:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:4.0.1:sp15500:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:4.0.3:*:*:*:*:*:*:*

OR cpe:/a:avaya:sip_enablement_services:3.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:avaya:communication_manager:3.1:*:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:4.0:*:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:3.1.1:*:*:*:*:*:*:*

Denotes that component is vulnerable