Product Support Notice © 2016 Avaya Inc. All Rights Reserved. PSN # PSN004793u Original publication date: 05-Aug-16. This is Issue #02, published date: 11-Oct-16. Severity/risk High Urgency Immediately level Name of problem Escalating privileges to root does not require authentication. Products affected Avaya Session Border Controller for Enterprise 7.1 Problem description A local user such as ipcs can escalate privileges to root using a SUDO without any credentials. Resolution

Install “71ga_patch_aurora9194_0fdf98f3681cad5b46e92a5d1c15295f.tgz”.

Workaround or alternative remediation n/a Remarks n/a Patch Notes The information in this section concerns the patch, if any, recommended in the Resolution above. Backup before applying the patch n/a Download n/a Patch install instructions Service-interrupting? N

1. Take a backup of SBCE before installing patch. 2. Download patch 71ga_patch_aurora9194_0fdf98f3681cad5b46e92a5d1c15295f.tgz from PLDS md5sum: 0fdf98f3681cad5b46e92a5d1c15295f download Id: SBCE0000061 3. Install the patch first on EMS and then on SBCs. 4. Install patch “71ga_patch_aurora9194_0fdf98f3681cad5b46e92a5d1c15295f.tgz” following the steps:

a. Copy the patch “71ga_patch_aurora9194_0fdf98f3681cad5b46e92a5d1c15295f.tgz” to /home/ipcs folder of SBCE. b. Login into SBCE and switch to root user. c. Ensure that you are in the ipcs directory: /home/ipcs d. Untar patch

tar -xvzf 71ga_patch_aurora9194_0fdf98f3681cad5b46e92a5d1c15295f.tgz

e. Run the following script: ./fix_AURORA_9194.sh

Verification 1. Login to SBCE with ipcs user and command “sudo –i”.

2. Verify that SBCE prompts for root password. 3. calls to verify SBCE functionality is not affected due to patch.

Known Issue and Workaround After applying this patch, there is known issue with certsync functionality on SBCE. User gets the following error when they try to run certsync from SBCE:

SBC#certsync Preparing to synchronize certificates from EMS 10.255.x.x... Cleaning up temp directory... Connected to EMS 10.255.113.48. Synchronizing certificates... Input error SBC#

Workaround: Install the patch after certificate installation or manually sync the certificates to SBCE using the following procedure

To manually sync the certificates to SBCE:

1. Install the certificates using the EMS GUI. 2. After installing the certificates, login to EMS CLI as a root user. 3. Run the following command to generate the certificate tar file:

python /usr/local/ipcs/icu/scripts/cert-bundle create

4. Go to the .certsync directory. This directory contains the certificate.tgz file with the current timestamp.

cd /archive/.certsync

5. Transfer the certificate.tgz file to all the SBCE’s using Secure FTP using the following command:

sftp -oPort=222 ipcs@ sftp>put certificates.tgz

6. Login to the SBCE CLI as a root user.

7. (Optional) If the tmp directory does not exist create it using the following command:

/usr/local/ipcs/cert/tmp

8. Copy the certificate to the tmp folder using the following command:

/home/ipcs/certificates.tgz /usr/local/ipcs/cert/tmp/

9. Go to the tmp directory and untar the certificates.tgz file using the following command:

cd /usr/local/ipcs/cert/tmp tar zxvf certificates.tgz

10. Copy the CA cert file from the tmp directory to ca directory using the following command:

cp /usr/local/ipcs/cert/tmp/ca/* /usr/local/ipcs/cert/ca/

11. Copy the crl file from the tmp directory to crls directory. If there are no crl files then skip this step:

cp /usr/local/ipcs/cert/tmp/crls/* /usr/local/ipcs/cert/crls/

12. Run clipcs and certinstall to install the certificate:

clipcs SBC#certinstall

Note: Steps 6 to 12 must be performed on both the primary and secondary SBCE.

Failure Contact Technical Support. Patch uninstall instructions n/a Security Notes The information in this section concerns the security risk, if any, represented by the topic of this PSN. Security risks n/a Avaya Security Vulnerability Classification Not Susceptible Mitigation n/a

If you require further information or assistance please contact your Authorized Service Provider, or visit support.avaya.com. There you can access product information, chat with an Agent, or open an online Service Request. Support is provided per your warranty or service contract terms unless otherwise specified in the Avaya support Terms of Use.

Disclaimer: ALL INFORMATION IS BELIEVED TO BE CORRECT THE OF PUBLICATION AND IS PROVIDED “AS IS”. AVAYA INC., ON BEHALF OF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS “AVAYA”), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS’ SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA. All trademarks identified by ® or TM are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.

BusinessPartner Notes Additional information for BusinessPartners n/a Avaya Notes Additional information for Tier 3, Tier 4, and development n/a