Solved: BToE vulnerability in 3.8 and below

UCDave · ‎05-29-2019

Hello all, I have a client who alerted me to a BToE vulnerability on versions 3.8 and below regarding stored, fixed credentials being used between the phone and the PC client, with the solution being to move to UC software 6.0 and BToE 4.0. This client has a mix of phones compatible with UCS 6.0 and some that aren't like VVX 500s, and also likes to not move to the latest software build. They currently run 5.9.0 with Skype for Business and of course BToE 3.9.

UCS 5.9 and BToE 3.9 are both not mentioned in the vulnerability document, but I opened a case and asked specifically about future updates to address the vulnerability and was told that 5.9/3.9 won't be getting the fixes that address this vulnerability.

I'm aware that this forum is not the place for future feature relase information but I'm hopeful that my support tech, who wasn't aware of the vulnerability until I sent the document over, was simply incorrect and that this vulnerability can be addressed in the legacy builds for clients who aren't wanting to upgrade a stack of otherwise good phones, but who use BToE heavily.

Thanks in advance!

SteffenBaierUK · ‎05-29-2019

Hello @UCDave ,

The community contains individual sections dealing with the different products we offer Voice, Audio/Video, UC Infrastructure or Others.

Your post or the post you replied to was placed into an incorrect section and has therefore already been moved.

We are working on fixing this in 5.9.x but I am unable to provide a date.

Best Regards

Steffen Baier

----------------
The title Polycom Employee & Community Manager is a community setting and does not reflect my role. I am just a simple volunteer in the community like everybody else. My official "day" Job is 3rd Level support at Poly but I am unable to provide official support via the community.

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

View solution in original post

SteffenBaierUK · ‎05-29-2019

Hello @UCDave ,

The community contains individual sections dealing with the different products we offer Voice, Audio/Video, UC Infrastructure or Others.

Your post or the post you replied to was placed into an incorrect section and has therefore already been moved.

We are working on fixing this in 5.9.x but I am unable to provide a date.

Best Regards

Steffen Baier

----------------
The title Polycom Employee & Community Manager is a community setting and does not reflect my role. I am just a simple volunteer in the community like everybody else. My official "day" Job is 3rd Level support at Poly but I am unable to provide official support via the community.

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

View solution in original post

UCDave · ‎05-29-2019

Thank you very much, Steffen, that should hold them over.

BToE vulnerability in 3.8 and below

BToE vulnerability in 3.8 and below

Re: BToE vulnerability in 3.8 and below

Re: BToE vulnerability in 3.8 and below

Re: BToE vulnerability in 3.8 and below