UC Software - Exposure of Sensitive Information to an Unauthorized Actor
Vulnerability Summary
In certain configurations, Polycom UCS Software for VVX Phones may disclose sensitive information. Polycom has found that recent software releases for the VVX line of phones may potentially disclose sensitive information when using Web Proxy Auto Discovery (WPAD) in a Microsoft environment.
If the phone is configured to use web proxy but no web proxy credentials are provided, there is a risk that potentially disclose sensitive information. This vulnerability could allow a privileged, local attacker, in specific circumstances, to read sensitive information. To exploit this vulnerability, an attacker must be able to access the VVX management interface and successfully log into an affected device.
Published
Last Update: 3/14/2022
Initial Public Release: 6/25/2018
Advisory ID: PLYVC18-05
Product Affected
| PRODUCTS | FIRMWARE | FIX |
|---|---|---|
| VVX | UCS 5.7.0.11768 UCS 5.7.1.2205 UCS 5.7.2.1277 UCS 5.8.0.12386 |
Software version later than identified vulnerable release |
Solution
Poly recommends customers upgrade to the respective firmware build or later.
Workaround
There is no workaround.
Contact
Any customer using an affected system who is concerned about this vulnerability within their deployment should contact Poly Technical Support – (888) 248-4143, (916) 928-7561, or visit the Poly Support Site.
Revision History
| VERSION | DATE | DESCRIPTION |
|---|---|---|
| 1.0 | 6/25/2018 | Initial Release |
| 1.1 | 7/3/2018 | Updates for fixed software version and mitigations |
| 1.2 | 7/11/2018 | Corrected some language for consistency |
| 2.0 | 3/14/2022 | Format Changes |