Some vulnerabilities have been reported in Avaya SIP Enablement Services, which can be exploited by malicious people to disclose sensitive information and by malicious users to compromise a vulnerable system.

1) Certain pages in the web administration interface do not perform proper authentication checks. This can be exploited to disclose potentially sensitive information without authentication.

2) Unspecified input validation errors in the administration interface can be exploited to execute arbitrary code on an affected system.

Successful exploitation requires valid user credentials to the administration interface.

The vulnerabilities are reported in version 3.x and 4.0.

Solution
The vendor recommends that local and network access to the affected systems be restricted until an update is available.

Provided and/or discovered by
VoIPshield

Changelog
Further details available to Secunia VIM customers

Original Advisory
Avaya:
http://support.avaya.com/elmodocs2/security/ASA-2008-268.htm

VoIPshield:
http://www.voipshield.com/research-details.php?id=76
http://www.voipshield.com/research-details.php?id=77
http://www.voipshield.com/research-details.php?id=78
http://www.voipshield.com/research-details.php?id=81
http://www.voipshield.com/research-details.php?id=82
http://www.voipshield.com/research-details.php?id=83
http://www.voipshield.com/research-details.php?id=84
http://www.voipshield.com/research-details.php?id=85
http://www.voipshield.com/research-details.php?id=86
http://www.voipshield.com/research-details.php?id=87
http://www.voipshield.com/research-details.php?id=88
http://www.voipshield.com/research-details.php?id=89
http://www.voipshield.com/research-details.php?id=90
http://www.voipshield.com/research-details.php?id=91

Deep Links
Links available to Secunia VIM customers