Alcatel-Lucent Security Advisory No. SA-C0057 Ed. 02 Information about Kernel vulnerability Dirty Cow Summary A set of major vulnerability has been raised in Linux kernel and potentially affects all operating systems. Please, see details of alert below. • CVE-2015-8956 • CVE-2016-5195 (dirty cow) • CVE-2016-7042 • CVE-2016-7425 In particular, CVE-2016-5195 labeled as Dirty Cow (for copy-on-write) provides an undocumented issue in the memory management code, leading to race condition, and allows a local attacker to gain privileges to root level. See https://dirtycow.ninja/ References Reference: CVE-2016-5195 Date: 11/10/2016 Risk: High Risk on ALE products: Low Impact: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service Attack expertise: Low Attack requirements: Locally exploitable CVSS v3 score: 7.8 High - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5195 https://dirtycow.ninja/ Description of the vulnerability Dirty cow is a vulnerability that requires an account to be effective. It means that an unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. This vulnerability has minimal impact on ALE products since customers already control the highly privileged users allowed access in the system when available. For example the OS existing accounts already are admin- level users. There is no OS account for end users with low-level privilege. End users rely on application level accounts only (e.g. OpenTouch application accounts). Privilege escalation is thus not relevant in this context. Anyway, since this affects the Linux Kernel of Operating Systems used for ALE products, the corresponding corrections are part of delivered upgrades of the environment packages for concerned products as for any other embedded component. See information of versions in the next section. Impacts No direct impacts are considered on Alcatel-Lucent Enterprise products. However kernel fixes can be obtained by upgrade of the concerned version of relying operating systems as described in next section.

Status on Alcatel-Lucent Enterprise products List of products and releases embedding impacted component; Note again that there is no direct vulnerability and upgrades are delivered to match the latest kernel version integrating the corresponding fixes. Product Name Release OpenTouch Business Edition Up to OT 2.2.110.002 (excluded) OpenTouch Multimedia Services Up to OT 2.2.110.002 (excluded) OmniPCX Communication Server Solution, Not concerned until release 11.x INTIP3/GD3 Fix embedded in release 12 OpenTouch Edge Server Up to OT 2.2.110.002 (excluded)

Special note on not impacted products Product Name Release OmniPCX Office RCE Not impacted, do not expose any kind of shell that could be used to leverage the privilege escalation. Additional software installation on the product is not possible All terminals range Linux based devices are not impacted. Additional software installation on the product is not possible. Contained command lines do not make it possible to change or use external components to leverage the privilege escalation. OpenTouch Session Border Not impacted Controller Resolution for Alcatel-Lucent Enterprise affected products Fixed Software Versions/Patches

Product Fixed in Date OpenTouch Business Edition OT 2.2.110.002 December 9th, 2016 OpenTouch Multimedia Services

Frequently Asked Questions

Where can I find the release policy for ALE products? Release policy for ALE products is available on Alcatel-lucent Enterprise Business Portal https://businessportal.alcatel-lucent.com Where can I download ALE software patches? Software patches will be available on Alcatel-lucent Enterprise Business Portal https://businessportal.alcatel-lucent.com Are OS releases on ICS servers supported by ALE? ALE does not provide any Operating System (OS) support for the ICS releases.

If you are running on an affected RHEL (from version 4 to version 7), we recommend that you upgrade the operating system according to your vendor’s instructions.

History Ed.01 (2016 December 1st): Vulnerability Information Creation Ed.02 (2017 January 3rd): Product list Information update: OpenTouch Session Border Controller is Not impacted