Plantronics + Polycom. Now together as Poly Logo

BToE vulnerability in 3.8 and below


BToE vulnerability in 3.8 and below

Hello all, I have a client who alerted me to a BToE vulnerability on versions 3.8 and below regarding stored, fixed credentials being used between the phone and the PC client, with the solution being to move to UC software 6.0 and BToE 4.0. This client has a mix of phones compatible with UCS 6.0 and some that aren't like VVX 500s, and also likes to not move to the latest software build. They currently run 5.9.0 with Skype for Business and of course BToE 3.9.


UCS 5.9 and BToE 3.9 are both not mentioned in the vulnerability document, but I opened a case and asked specifically about future updates to address the vulnerability and was told that 5.9/3.9 won't be getting the fixes that address this vulnerability.


I'm aware that this forum is not the place for future feature relase information but I'm hopeful that my support tech, who wasn't aware of the vulnerability until I sent the document over, was simply incorrect and that this vulnerability can be addressed in the legacy builds for clients who aren't wanting to upgrade a stack of otherwise good phones, but who use BToE heavily.


Thanks in advance!

Message 1 of 3
Polycom Employee & Community Manager

Re: BToE vulnerability in 3.8 and below

Hello @UCDave ,

The community contains individual sections dealing with the different products we offer Voice, Audio/Video, UC Infrastructure or Others.

Your post or the post you replied to was placed into an incorrect section and has therefore already been moved.

We are working on fixing this in 5.9.x but I am unable to provide a date.

Best Regards

Steffen Baier

<======== Signature / Disclaimer ========>
Please be aware:For questions about the type of support to expect please check here

Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

Please remember, if you see a post that helped you , and it answers your question, please mark it as an "Accept as Solution".

The title Polycom Employee & Community Manager is an automatic setting within the community and any forum reply or post is based upon my personal experience and does not reflect the opinion or view of my employer.
Poly employee participation within this community is not mandatory and any post or FAQ article provided by myself is done either during my working hours or outside working hours, in my private time, and maybe answered on weekends, bank holidays or personal holidays.
Message 2 of 3

Re: BToE vulnerability in 3.8 and below

Thank you very much, Steffen, that should hold them over.

Message 3 of 3