×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

Anyone patching the 96xx phone vulnerability yet?

Anyone patching the 96xx phone vulnerability yet?

Anyone patching the 96xx phone vulnerability yet?

(OP)
I have a couple emails from clients worried when they saw Avaya in the news today for a vulnerability in their 96XX pones.

Apparently the patch has been out since June 25th. Not sure why it's just making news now.

The fixes... https://support.avaya.com/downloads/download-detai...

RE: Anyone patching the 96xx phone vulnerability yet?

Same here. Been updating (having some trouble getting the update to take on all phones but I don't think it is the firmware itself--just that sending remote command to reregister doesn't seem to get the phones to pick up firmware on r11 fp4 sp1)

RE: Anyone patching the 96xx phone vulnerability yet?

The public statement from Avaya.


TO: AVAYA SALES, PARTNERS, AND CUSTOMERS

REGARDING: RECENT NEWS ARTICLES ABOUT AVAYA H.323 PHONE VUNERABILITY

You may have seen or received questions about a security issue with certain Avaya desktop phones due to recent news articles.

This concern is regarding a 10 year old bug that re-surfaced on certain Avaya desktop and conferencing phones.

Please be aware that:

- This issue only affects 9608, 9608G, 9611G, 9621G, 9641G, 9641GS, B189, J169, and J179 devices using H.323 signaling. Those same devices using SIP signaling are unaffected.

- This issue has already been addressed in the June 25th release of software (version 6.8.2) for these devices.

IF you would like to better understand this or to be better able to address any questions you may receive, please review the Avaya Security Advisory (ASA) ASA-2019-128 issued on July 18, 2019 that can be found at this link (https://downloads.avaya.com/css/P8/documents/10105...).

You may also provide this link to anyone else that is interested in this matter.

This ASA contains a link to Avaya’s Product Vulnerability Response Policy (https://downloads.avaya.com/css/P8/documents/10004...) that provides more details on the formal structure that Avaya uses to monitor, assess, and notify stakeholders of potential security issues.

In addition, any inquiries can be best responded to with the following statement:

“Avaya has a clear and well-defined policy that requires our products to use the most recent software release to make sure security issues are addressed in a timely manner.

With respect to the security issue identified in ISC DHCP, Avaya issued a security advisory (https://downloads.avaya.com/css/P8/documents/10105...) on July 18, 2019 that addresses and resolves the identified risk. Avaya thanked Philippe Laulheret for his responsible disclosure and cooperation with Avaya during the handling of this matter.

Customers should always make sure that physical access to communications devices are limited to approved personnel to prevent physical tampering with these devices by unauthorized entities.”

THANK YOU!

No I don't write all the manuals. No I don't code the software. No I don't design the phones.

RE: Anyone patching the 96xx phone vulnerability yet?

Shoot. More of a reason to get a couple older CM 5 systems replaced that we were on the fence about (since the update doesn't go back to CM 5 systems).

OP: funny enough, I was wondering if this thread of yours ever got resolved: https://www.tek-tips.com/viewthread.cfm?qid=178462... Running into something similar with the provider insistent the static is not their fault and have tried just about everything except for a full chassis swap. Sorry for the random post, lurker/occasional poster and the thread is closed and I don't think?? we can send PM's here.

RE: Anyone patching the 96xx phone vulnerability yet?

Keep in Mind, while the patch was resolved in June, the R11 SP1 is still running 6.6.6 for 96x1 sets...

will need to download the 6.8.2 to resolve this issue.....

RE: Anyone patching the 96xx phone vulnerability yet?

Keep in mind for your older systems. They will need to be upgraded. We've got a customer with a mix of 5400 and 9600 series phones running on 10.0 SP3. They want them patched but have to get rid of 5400 series first.

The Avaya IP Deskphones/IP Phones using Avaya Deskphone H.323 Release 6.8.2 software are supported on:
• IP Office™ 10.0 SP7
• IP Office™ 10.1 SP3
• IP Office™ 11.0 and associated service packs (all models except J169/J179)

If vegetarians love animals so much, why are they eating all of their food?

RE: Anyone patching the 96xx phone vulnerability yet?

Andhee, incorrect
I have 5600 phones on R10 and 10.1
no issues.

RE: Anyone patching the 96xx phone vulnerability yet?

What service pack are you running? You might be able to make and receive calls but many button features stopped working after SP3.
Plus, they are not supported by Avaya. Why would you be running a supported version of IPO but not the phones?
Just because you can doesn't mean you should.

If vegetarians love animals so much, why are they eating all of their food?

RE: Anyone patching the 96xx phone vulnerability yet?

there are differences between 5400 and 5600!

RE: Anyone patching the 96xx phone vulnerability yet?

All releases of R10
10.1 no sp and sp1.
5400 and 5600 phones.
no issues
not issues with buttons.

RE: Anyone patching the 96xx phone vulnerability yet?

Not supported doesn't mean not working.
But I had issues with some phone types not working on a release and another one on the same release had no problems with the same phones.
Seems it also has to do with hardware and the tide and the time of day it was upgraded .... smile could never make a 100% prediction if stuff really works after the upgrades.

Joe W.

FHandw, ACSS (SME)


"This is the end of the world, make sure to buy your T-shirt before it is too late"
Original expression of my daughter

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close