Avaya MS09-020 Vulnerabilities User Manual

MS09-020 Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation
of Privilege (970483)

Original Release Date: June 10, 2009
Last Revised: June 10, 2009
Number: ASA-2009-215
Risk Level: Medium
Advisory Version: 1.0
Advisory Status: Final

1. Overview:

Microsoft issued a security bulletin which contained security advisory MS09-020. This
security update resolves vulnerabilities in Microsoft Internet Information Services (IIS)
that could allow elevation of privilege if an attacker sent a specially crafted HTTP request
to a Web site that requires authentication. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the names CVE-2009-1122 and CVE-2009-1535 to
these issues. A description of the vulnerabilities may be found at:

• http://www.microsoft.com/technet/security/bulletin/ms09-020.mspx

Certain Avaya products utilize Microsoft Operating Systems and may be affected by this
vulnerability.

2. Avaya System Products:

Avaya system products include an Operating System with the product when it is
delivered. The system products described below are delivered with a Microsoft Operating
System. Actions to be taken with these products are also described below.

Product:

Avaya Messaging
Application Server

Recommended Actions:

Avaya strongly recommends that customers follow networking and security best practices
by implementing firewalls, ACLs, physical security or other appropriate access
restrictions. Though Avaya believes such restrictions should always be in place; risk to
Avaya's product and the surrounding network from this potential vulnerability may be
mitigated by ensuring these practices are implemented until such time as a product update

Affected
Version(s):

All Medium

Risk
Level:

Actions:

Avaya recommends that customers
install the security update as provided
via Microsoft Windows Update.

can be installed. Further restrictions as deemed necessary based on the customer's
security policies may be required during this interim period.

3. Avaya Software-Only Products:

Avaya software-only products operate on general-purpose operating systems.
Occasionally vulnerabilities may be discovered in the underlying operating system or
applications that come with the operating system. These vulnerabilities often do not
impact the software-only product directly but may threaten the integrity of the underlying
platform.

In the case of this advisory Avaya software-only products are not affected by the
vulnerability directly but the underlying Microsoft Windows platform may be. For
affected Microsoft Operating Systems, Microsoft recommends installing patches.
Detailed instructions for patching the Operating System are given by Microsoft at the
following link:

• http://www.microsoft.com/technet/security/bulletin/ms09-020.mspx

Product:

Avaya Agent Access All Versions
Avaya Basic Call Management System Reporting Desktop -

client
Avaya Basic Call Management System Reporting Desktop -

server
Avaya Call Management Server (CMS) Supervisor All Versions
Avaya CallVisor ASAI LAN (CVLAN) Client All Versions
Avaya Computer Telephony All Versions
Avaya Contact Center Express (ACCE) All Versions
Avaya Customer Interaction Express (CIE) All Versions
Avaya Enterprise Manager All Versions
Avaya Integrated Management All Versions

Software
Version(s):

All Versions

All Versions

Avaya Interaction Center (IC) All Versions
Avaya Interaction Center (IC) - Voice Quick Start All Versions