Avaya has finished our investigation of this issue and an Avaya Security Advisory, ASA-2005-041, has been released. The advisory can be obtained from: http://support.avaya.com/security or directly from: http://support.avaya.com/elmodocs2/security/ASA-2005-041_Sensitive_Info_ Leak.pdf We expect that this advisory will be updated with available patches or timeframes in the future. For reference, links to Avaya's Vulnerability Classification system and Avaya's Vulnerability Response Policy are below: http://support.avaya.com/elmodocs2/security/security_vulnerability_class ification.pdf http://support.avaya.com/elmodocs2/security/security_vulnerability_respo nse.pdf (URL may be wrapped) -John Walton, CISSP Lead Security Engineer Product Security Support Team (PSST) Avaya, Inc. -----Original Message----- From: Walton, John Michael (John) Sent: Wednesday, February 23, 2005 5:17 PM To: grutz@xxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx; m123303@xxxxxxxxxxxxxx Subject: RE: Avaya IP Office Phone Manager - Sensitive Information Cleartext Vulnerability Avaya is aware and currently investigating this issue. Once our investigation is complete we will release an Avaya Security Advisory to address the outlined concerns. In the interim, we've asked Mitre to assign a Common Vulnerability and Exposures (CVE) candidate number for this issue. They have assigned CAN-2005-0506: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0506 Congruent with generally acceptable security practices, Avaya recommends that customers restrict remote and local access to their systems to reduce risks. Alternatively, customers may choose not to utilize the "Remember save password" feature in order to prevent a user's password from being stored in the Windows registry. Please note the Avaya Product Security Support Team (PSST) takes the security of Avaya products seriously. We would like to develop a relationship with our customers and the public to encourage them to forward vulnerabilities to us. Please send information regarding any discovered security problems with Avaya products to securityalerts[at]avaya.com. I, or someone on the PSST, will work directly to validate the problem and coordinate a response; including an acknowledgement for working with us to help protect customers. John Walton, CISSP Lead Security Engineer Product Security Support Team (PSST) Avaya, Inc.
