Reference13r3:Release Notes Security
This is the Security 13r3 Release Notes Document. It is an extract of the 13r3 Release Notes showing only the security fixes made. It can be used by security sensitive customers to decide whether an update of the innovaphone structure is needed with a new Service Release.
Service Releases are planned for the second Monday each month.
Please see the disclaimer before using the information presented here!
Security 13r3
13r3 Service Release 3 (137803)
139670 - Addtional protection against theoretical XSS possibility in pbx_appclient_popup.htm
- The page does not work anymore, if loaded without a window.opener.
- The page does not work anymore, if loaded in a standard browser, just in the myApps launcher.
- The URL-Parameter does not allow data-URLs anymore.
13r3 Service Release 4 (137818)
142560 - App Devices: do not allow to provision a device to a different domain if already provisioned
It is not longer possible to provision a device into another domain if the device is already inside a domain in devices.
If you want to reprovision a device to a different domain, you must first remove it from its current domain.
13r3 Service Release 5 (137834)
143535 - Enable "password protect all HTTP pages" in install.htm
After completing the installation, the option shall be enabled by default.
Idea: hide information like device type, MAC address, firmware version that is displayed on the start page of the advanced UI.
144019 - myApps Windows: improved signature validation in update service
13r3 Service Release 7 (137863)
146639 - App Devices: security fix for a possible privilege escalation through the provisioning process
Requirements to perform the attack:
* enabled checkmark "Deploy domain passwords on all devices" on the domain
* standard PBX user account with access to the Profiles App
Attack scenario:
* phone provisioning using the Profile App could be abused to gain access to the domain password by authenticated but non-privileged users
Fix:
* the creation of provision codes through the Profiles and Users Admin App now creates non administrative provision codes
* the creation of provision codes through the Devices App creates administrative provision codes (as just administrators have access to the Devices App)
* if a non administrative provisioning code is used, the provisioned device gets a random password as administrative password
* if an administrative provisioning code is used, the provisioned device still gets the domain password
Already provisioned devices:
* all non phone devices will be automatically handled as if provisioned with an administrative provisioning code and will still get the domain password
* all phone devices will still get the domain password, but you can decide to switch these devices to random passwords too: <a href="https://wiki.innovaphone.com/index.php?title=Support:Device_password_deployment_mechanism_changed_in_13r3SR7/13r2SR25" target="_blank">https://wiki.innovaphone.com/index.php?title=Support:Device_password_deployment_mechanism_changed_in_13r3SR7/13r2SR25</a>
New devices:
* all devices provisioned by the automatic provisioning process will get random passwords (no matter which device type)
* a device provisioned with a provisioning code will get either a random or the domain password depending on how the code was created (see Fix above)
* phone devices added manually in the Devices UI will get random passwords
* non phone devices added manually in the Devices UI will get the domain password
Direct access to a device with a random password:
you can request the clear text password in the Devices App in the settings of a device
If you reprovision an already provisioned device, the device will get a new random sysclient password.
Discovered by PenTesting of SSyS
13r3 Service Release 8
149035 - App Platform Manager: restrict access to manager logs
The log file directory of the App Platform manager itself had wrong access rights which allowed read access for non root users.
13r3 Service Release 13 (137934)
159317 - Advanced UI: Prevent XSL injection
The servlets for the advanced UI accept an "xsl" URL paramter that
specifies the XSLT file for displaying the corresponding page.
Before this fix it was possible to specify a URL containing a colon represented in XML entity encoding.
CVE-2024-28722
157823 - AP Manager Login: Fix for brute force attacks
CVE-2024-24721