cbcvebase.
CVE-2017-11309
published 2017-11-10

CVE-2017-11309: Buffer overflow in the SoftConsole client in Avaya IP Office before 10.1.1 allows remote servers to execute arbitrary code via a long response.

PriorityP357critical9.6CVSS 3.0
AVNACLPRNUIRSCCHIHAH
EXPLOIT
EPSS
9.40%
94.8th percentile
Buffer overflow in the SoftConsole client in Avaya IP Office before 10.1.1 allows remote servers to execute arbitrary code via a long response.

Affected

1 ranges
VendorProductVersion rangeFixed in
avayaip_office< 10.1.110.1.1

Detection & IOCsextracted from sources · hover to see the quote

  • Detect a malicious server sending an oversized response to an Avaya SoftConsole client outbound connection; the exploit payload begins with 452 'A' bytes followed by a NOP sled and shellcode, delivered over TCP port 80.
  • Alert on SoftConsole.exe spawning unexpected child processes (e.g., wusa.exe) — the PoC shellcode launches wusa.exe as its payload.
  • Look for SEH-based exploitation patterns in memory of SoftConsole.exe: SEH handler overwritten with address 0x50E149FD inside IndyCore190.bpl, which has no SafeSEH/ASLR protections.
  • Monitor for network connections from SoftConsole.exe to untrusted/external servers; the attack requires the Avaya user to connect to an attacker-controlled server.
  • ·The exploit targets IndyCore190.bpl (v19.0.14356.6604) loaded by SoftConsole.exe with no ASLR, no Rebase, and no SafeSEH — the ROP/SEH gadget addresses are only reliable on systems where this DLL is loaded at its default base address.
  • ·The shellcode was tested on Windows 7 only; reliability on other OS versions is unconfirmed.
  • ·Affected versions are Avaya IP Office 9.1.0 through 10.1; versions 10.1.1 and later are patched.

CVSS provenance

nvdv3.09.6CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.