Wondering if anyone has done this, but our security folks flagged our Utility server as trying to make an outbound connection to a malicious IP address. They want to install a security agent on it. Is that permitted w/o violating support?
Can they give you any more details about the malicious IP address?
I had to argue with Avaya for a bit because I couldn't download Workplace for a bit. Because they package ZIP files with the app and there's Outlook add-ins bundled in there and they're lazy about it, Google can consider the web page malicious. I'd be interested in what IP they said did it and then do some ARIN lookup of who owns that IP. Maybe it was just reaching out to Avaya.
I can't see why it would necessarily need to reach out to Avaya, but it's just a guess about why it might have shown up on security's radar.
The alert came from the Utility server, which is internal. It tried to connect outbound to some known malicious IP. Other than SAL, the SBC should be the only thing able to hit that via reverse proxy.
What port was the connection trying to use as that may give you an idea of what it was trying to do.
You should be blocking any outbound connections that don't match an ACL on your firewall so I'd ask them why it was being permitted outbound and tell them to block external traffic for the util server.
Problem was legit.. utility server was compromised via the SBC. the phonebackup directory had malicious entries of php files that called back out. In case anyone uses Utility server.. be aware of the vulnerability.
Yes Avaya SBC via reverse proxy. We are on the latest version of utility server. This vulnerability was addressed in AADS but there’s no patch for the utility server. Trying to get someone in support to opine on if the AADS patch can be applied to the utility server.
For the filexfer we have in the reverse proxy B1 HTTPS --> A1 to host 10.x.x.x port 80 - Avaya produced a fix for this exact vulnerability for the AADS server, but not the Utility Server. Prob cause it's not being updated going forward. We are trying to find out if the fix that was applied to AADS can be installed on the Utility server. The documented vulnerability is pretty much the same thing.
Starting with 8.0 the utility server went away. Since 7.x is no longer supported, Avaya probably won't be creating any patches. Assuming this was a log4j issue?
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.