Avaya data leak bug

A group of security researchers have disclosed a now-fixed bug in Avaya data centre hardware that allows shortest-path first (SPB) bridges to be traversed.

It's not remotely exploitable, but it's worth remembering that there's plenty of concern among data centre customers and admins that tenant traffic is private, both from other tenants and sysadmins who toil away inside bit barns.

The issue is in the Avaya Fabric Connect Virtual Service Platform (VSP), which has a bug in how it handles VLAN and I-SID (service instance VLAN ID) indexes. A crafted Ethernet frame provides “unauthorised access to devices intended to be secured from untrusted traffic sources”, the post to Bugtraq states.

Users of VSP versions 4.2.3.0, 5.0.1.0 and 5.1.0.0 need to upgrade.

The software is present on the VSP 4000 series edge devices, the VSP 7200 rack-to-rack switches, and VSP 8000 core switches.

The bugs were discovered by Stora and Kryptos Logic in 2015, and while Avaya's patches were issued in February 2016, CVE-2016-2783 has only now been cleared for disclosure. ®