CVE-2008-3081

Name of the Vulnerable Software and Affected Versions: Avaya Message Storage Server (MSS) versions 3.x through 4.0 Avaya Communication Manager versions 3.1.x

Description: The issue is related to multiple unspecified input validation vulnerabilities in the Web management interface of the affected software. These vulnerabilities allow remote authenticated administrators to execute arbitrary commands as user vexvm. The vulnerabilities are related to various configuration settings and actions, including SFTP Remote Store configuration, remote FTP storage settings, name server lookup, pinging another host, TCP/IP Networking parameter configuration, external hosts configuration, Windows domain parameter configuration, date, time, and NTP server configuration, alarm settings, command line history form, maintenance form, and server events form.

Recommendations: For Avaya Message Storage Server (MSS) versions 3.x through 4.0, consider restricting access to the Web management interface until a fix is available. For Avaya Communication Manager versions 3.1.x, avoid using the vulnerable configuration settings and actions until the issue is resolved. As a temporary workaround, consider disabling the remote administration feature for the Web management interface until a patch is available. Restrict access to the vexvm user account to minimize the risk of exploitation.