With regards to the original e-mail to this list (mirrored at the URL http://www.securiteam.com/securitynews/5SP012055O.html), this reply was sent to the independent NA-Resellers Avaya Alchemy/IP Office list: > -----Original Message----- > From: Natrjak [mailto:natrjak@hotmail.com] > Sent: 12 September 2002 20:23 > To: NAResellers@twang.net > Subject: Re: [NA-Resellers] Interesting web site > > > Wrt the issues raised at this site :- > > 1) Fixed in Argent Branch/Office 2.2.60 > 2) Password can be cracked. Hacker needs to be on local LAN. > The who-is > packet can be filtered by use of a switching device placed > between directly > between PBX and all non trusted users, or by ensuring the Manager only > resides on the local Subnet and all users of this local subnet are > "trusted". > 3) The SNMP community string used for the Alchemy/IP Office range of > Equipment is [Public]. This is hard coded and cannot be changed. So no > real threat here, as if other devices on Network are configurable via SNMP > (which the Alchemy/IP Office isn't) then they should be set to > the customers > real community string and NOT [Public]. > 4) Yes the TFTP request for Hold Music uses broadcast address > 255.255.255.255 This will only reach PC's on the local subnet if > on a routed > network. If someone on your local net has a TFTP Server or > Manager running > then the IT guy should know about it. If you feel it is a problem place a > switching device on the local subnet so only the PC required to respond to > this broadcast can see it. Down to administration of local LAN I would > suggest. > > Happy reading. > > > Nat. R. Jacks Nat. R. Jacks purports to be from Avaya/Network Alchemy. Obviously these issues range from annoying to just plain wrong depending on your setup. The IP Office/Alchemy must be connected to the company network for PC-based call handling to work. The unit is also easily crashable from the local LAN using numerous bad packets on the ports used by the User and Administrative applications, although I've lost records of those, it's fairly easy to find them by sending packets to those ports. ---------------------------------------------------------------------------- Russ Garrett russ@garrett.co.uk. http://russ.garrett.co.uk.
