CVE-2023-3722 Scanner

Avaya Aura Device Services is a comprehensive suite of applications and features designed for enterprise communication networks. It is widely used in corporations to manage unified communications infrastructure, particularly those relying on Avaya systems. Avaya provides tools for device management, user authentication, and system monitoring to enhance network efficiency. Large enterprises and service providers use Avaya Aura to facilitate seamless business communications. In recent times, Avaya Aura Device Services has been essential for organizations looking to streamline their telecommunication requirements. By integrating these services, companies can ensure better connectivity and workflows across various departments.

The OS Command Injection vulnerability in Avaya Aura Device Services poses a significant risk to systems utilizing this application. It allows attackers to execute arbitrary commands on the host operating system via the web server running the application. This type of vulnerability arises when user input is improperly sanitized, enabling the execution of malicious commands. Remote Code Execution (RCE) is possible, making it a critical issue that must be addressed promptly. The vulnerability affects version 8.1.4.0 and earlier of the Avaya Aura Device Services. Exploiting this vulnerability could lead to unauthorized access and control over the server hosting the application.

The vulnerability in Avaya Aura Device Services is due to improper handling of input within the PhoneBackup endpoint. Attackers can upload a file with a .php extension and inject malicious PHP code. The server then executes this code when the file is accessed, allowing arbitrary commands to be run with the server's privileges. Specifically, the vulnerability leverages a PUT request to upload a PHP file and a subsequent GET request to execute the injected code. The vulnerable parameter is the file name and its content, which are processed without adequate validation. The risk is heightened by the lack of authentication during the file upload process.

Exploiting the OS Command Injection vulnerability can have dire consequences, including unauthorized system access, data breaches, and compromised server environments. Malicious actors could execute arbitrary commands, leading to information theft or complete system takeover. The affected systems might become part of a botnet, used for further attacks or illicit activities. Moreover, business operations dependent on the affected Avaya systems could be severely disrupted. Organizations could face financial losses, reputational damage, and potential legal ramifications due to data protection violations. It is crucial to address this vulnerability to prevent exploitation and ensure system security.

REFERENCES

• https://github.com/pizza-power/CVE-2023-3722
• https://download.avaya.com/css/public/documents/101076366