Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Wondering if anyone has done this,

Status
Not open for further replies.
wpetilli

wpetilli

Technical User
May 17, 2011
1,877
US
Wondering if anyone has done this, but our security folks flagged our Utility server as trying to make an outbound connection to a malicious IP address. They want to install a security agent on it. Is that permitted w/o violating support?
 
Sort by date Sort by votes
Do you have root access? Usually Avaya charges for root access. If you do not have root, then they won't be able to install the agent.
 
Upvote 0 Downvote
Avaya typically voids support if you have 3rd party software installed with their servers.
 
Upvote 0 Downvote
Can they give you any more details about the malicious IP address?

I had to argue with Avaya for a bit because I couldn't download Workplace for a bit. Because they package ZIP files with the app and there's Outlook add-ins bundled in there and they're lazy about it, Google can consider the web page malicious. I'd be interested in what IP they said did it and then do some ARIN lookup of who owns that IP. Maybe it was just reaching out to Avaya.

I can't see why it would necessarily need to reach out to Avaya, but it's just a guess about why it might have shown up on security's radar.

 
Upvote 0 Downvote
The alert came from the Utility server, which is internal. It tried to connect outbound to some known malicious IP. Other than SAL, the SBC should be the only thing able to hit that via reverse proxy.
 
Upvote 0 Downvote
What port was the connection trying to use as that may give you an idea of what it was trying to do.

You should be blocking any outbound connections that don't match an ACL on your firewall so I'd ask them why it was being permitted outbound and tell them to block external traffic for the util server.
 
Upvote 0 Downvote
Problem was legit.. utility server was compromised via the SBC. the phonebackup directory had malicious entries of php files that called back out. In case anyone uses Utility server.. be aware of the vulnerability.
 
Upvote 0 Downvote
Yes Avaya SBC via reverse proxy. We are on the latest version of utility server. This vulnerability was addressed in AADS but there’s no patch for the utility server. Trying to get someone in support to opine on if the AADS patch can be applied to the utility server.
 
Upvote 0 Downvote
For the filexfer we have in the reverse proxy B1 HTTPS --> A1 to host 10.x.x.x port 80 - Avaya produced a fix for this exact vulnerability for the AADS server, but not the Utility Server. Prob cause it's not being updated going forward. We are trying to find out if the fix that was applied to AADS can be installed on the Utility server. The documented vulnerability is pretty much the same thing.
 
Upvote 0 Downvote
Starting with 8.0 the utility server went away. Since 7.x is no longer supported, Avaya probably won't be creating any patches. Assuming this was a log4j issue?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

mikespeak20
  • Locked
  • Question
thread690-1615875 Does anyone have
Replies
1
Views
97
Arlo555
Arlo555
snajo
  • Locked
  • Question
SIP Trunk on CM7... Can it be done?
Replies
5
Views
239
snajo
snajo
Skyer Lan
  • Locked
  • Question
Does anyone know how to integrate medians-1000B about T1 CAS?
Replies
1
Views
121
JefferP
JefferP
wpetilli
  • Locked
  • Question
Has anyone toyed with this setting
Replies
1
Views
86
biglebowski
biglebowski
Ed67879
  • Locked
  • Question
Unable to delete SIP users from Avaya SMGR after CM has been decommissioned
Replies
1
Views
175
ZeroZeroOne
ZeroZeroOne

Part and Inventory Search

Sponsor

Back
Top