############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Avaya Equinox # Vendor: Avaya # CSNC ID: CSNC-2020-027 # CVE ID: CVE-2020-7037 # Subject: XML External Entity Resolution (XXE) # Risk: High # Effect: Remotely exploitable # Authors: Sylvain Heiniger # Alex Joss # Date: 2021-05-19 # ############################################################# Introduction ------------ Avaya Equinox® Conferencing [1] delivers an all-inclusive solution for voice, video and desktop sharing. It enables organizations to deploy on virtualized platforms realizing simplicity and efficiency providing the elegant and simple user experience that Avaya Workspaces offers. By leveraging virtualized platforms there are scaling and redundancy capabilities to enable lower TCO for customers with a full video endpoint conferencing suite of features. Solution components include: Avaya Equinox Management, Avaya Equinox Media Server, Avaya Aura Web Gateway, Avaya Equinox H.323 Edge, Avaya Equinox Streaming and Recording, Avaya Aura Session Border Controller, Avaya Workplace Client, Avaya XT Room Systems, Avaya Collaboration Unit CU360. During a security assessment, Compass Security analysts found that an API endpoint, used by the screen sharing application, accepts XML content. The XML parser does not restrict the use of external entities, which allows for a variety of attacks such as SSRF (Server-Side Request Forgery), Denial of Service (DoS) and arbitrary file read. Affected -------- Vulnerable version: * Avaya Equinox® Conferencing 9.0 through 9.1 FP10 Patched version: * Avaya Meetings® Server R9.1 FP11 or later Workaround / Fix ---------------- Install the updated version provided by Avaya [2]. Timeline -------- 2020-11-02: Discovery by Sylvain Heiniger 2020-11-13: Initial vendor notification 2020-11-19: Initial vendor response 2021-04-28: Release of fixed Version / Patch 2021-05-19: Coordinated public disclosure date References ---------- [1] https://support.avaya.com/products/P1670/avaya-equinox-conferencing/9.1.x [2] https://downloads.avaya.com/css/P8/documents/101075574