Plantronics + Polycom. Now together as Poly Logo

BToE vulnerability in 3.8 and below

SOLVED
Highlighted
Member

BToE vulnerability in 3.8 and below

Hello all, I have a client who alerted me to a BToE vulnerability on versions 3.8 and below regarding stored, fixed credentials being used between the phone and the PC client, with the solution being to move to UC software 6.0 and BToE 4.0. This client has a mix of phones compatible with UCS 6.0 and some that aren't like VVX 500s, and also likes to not move to the latest software build. They currently run 5.9.0 with Skype for Business and of course BToE 3.9.

 

UCS 5.9 and BToE 3.9 are both not mentioned in the vulnerability document, but I opened a case and asked specifically about future updates to address the vulnerability and was told that 5.9/3.9 won't be getting the fixes that address this vulnerability.

 

I'm aware that this forum is not the place for future feature relase information but I'm hopeful that my support tech, who wasn't aware of the vulnerability until I sent the document over, was simply incorrect and that this vulnerability can be addressed in the legacy builds for clients who aren't wanting to upgrade a stack of otherwise good phones, but who use BToE heavily.

 

Thanks in advance!

Message 1 of 3
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Polycom Employee & Community Manager

Re: BToE vulnerability in 3.8 and below

Hello @UCDave ,

The community contains individual sections dealing with the different products we offer Voice, Audio/Video, UC Infrastructure or Others.

Your post or the post you replied to was placed into an incorrect section and has therefore already been moved.

We are working on fixing this in 5.9.x but I am unable to provide a date.

Best Regards

Steffen Baier

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

View solution in original post

Message 2 of 3
2 REPLIES 2
Highlighted
Polycom Employee & Community Manager

Re: BToE vulnerability in 3.8 and below

Hello @UCDave ,

The community contains individual sections dealing with the different products we offer Voice, Audio/Video, UC Infrastructure or Others.

Your post or the post you replied to was placed into an incorrect section and has therefore already been moved.

We are working on fixing this in 5.9.x but I am unable to provide a date.

Best Regards

Steffen Baier

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

View solution in original post

Message 2 of 3
Member

Re: BToE vulnerability in 3.8 and below

Thank you very much, Steffen, that should hold them over.

Message 3 of 3