Vulnerability CVE-2008-6709 - CERT Civis.Net

Vulnerability Name:

CVE-2008-6709 (CCN-43380)

Assigned:

2008-06-25

Published:

2008-06-25

Updated:

2017-08-17

Summary:

Unspecified vulnerability in the Web management interface in Avaya SIP Enablement Services (SES) 3.x and 4.0, as used with Avaya Communication Manager 3.1.x, allows remote authenticated users to execute arbitrary commands via unknown vectors related to configuration of "local data viewing or restoring parameters."

CVSS v3 Severity:

9.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

9.0 High (CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
7.3 High (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:U/RC:UR)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
7.3 High (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:U/RC:UR)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Gain Privileges

References:

Source: MITRE
Type: CNA
CVE-2008-6709

Source: CCN
Type: SA30751
Avaya SIP Enablement Services Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
30751

Source: CONFIRM
Type: Vendor Advisory
http://support.avaya.com/elmodocs2/security/ASA-2008-268.htm

Source: CCN
Type: ASA-2008-268
Additional Input Validation Vulnerabilities in Avaya SES SIP Server

Source: CCN
Type: Avaya Web site
Telecommunication Systems by Avaya: Business Telecommunications for your Company

Source: OSVDB
Type: UNKNOWN
46603

Source: CCN
Type: OSVDB ID: 46603
Avaya SIP Enablement Services (SES) Web Admin Interface Local Data View Configuration Arbitrary Command Execution

Source: BID
Type: UNKNOWN
29939

Source: CCN
Type: BID-29939
Avaya Communication Manager Multiple Security Vulnerabilities

Source: CCN
Type: VoIP Security Advisory, 2008-06-25
SIP Enablement Service View/Restore Data Local Configuration Arbitrary Command Execution

Source: MISC
Type: UNKNOWN
http://www.voipshield.com/research-details.php?id=78

Source: VUPEN
Type: UNKNOWN
ADV-2008-1943

Source: XF
Type: UNKNOWN
avaya-ses-command-execution(43380)

Source: XF
Type: UNKNOWN
avaya-ses-command-execution(43380)

Vulnerable Configuration:

Configuration 1:

cpe:/a:avaya:sip_enablement_services:3.0:*:*:*:*:*:*:*

OR cpe:/a:avaya:sip_enablement_services:3.1:*:*:*:*:*:*:*

OR cpe:/a:avaya:sip_enablement_services:3.1.1:*:*:*:*:*:*:*

OR cpe:/a:avaya:sip_enablement_services:4.0:*:*:*:*:*:*:*

AND

cpe:/a:avaya:communication_manager:3.1:*:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:3.1.1:*:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:3.1.2:*:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:3.1.3:*:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:3.1.4:*:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:3.1.4:sp1:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:3.1.4:sp2:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:3.1.5:*:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:3.1.5:sp0:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:avaya:communication_manager:3.1:*:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:4.0:*:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:3.1.1:*:*:*:*:*:*:*

Denotes that component is vulnerable