A vulnerability leading to remote code execution survived for 10 years in some Avaya VoIP phones, used by 90% of the Fortune 100 companies.
The bug was reported in 2009 in open-source software implemented in Avaya’s firmware but it went unnoticed until security researchers analyzed the product.
An attacker exploiting this flaw could essentially hijack the affected device and extract conversations from the speakerphone.
Philippe Laulheret, senior security researcher at McAfee, found the critical vulnerability (CVE-2009-0692) in the Avaya 9600 series IP Deskphone, although J100 Series IP Phones and B100 Series Conference Phones (B189) also include the vulnerable package.
The researcher notes that only the models with the H.323 software stack are impacted; this comment is necessary because Avaya phones can also work with the Session Initiation Protocol (SIP) stack.
CVE-2009-0692 is a stack-based buffer overflow in the ISC DHCP client and can be exploited by sending a malicious DHCP response. The result is a crash or a remote code execution with root privileges.
Avaya fixed the problem in a firmware update released on June 25, which “supersedes all previous Avaya IP Deskphone H.323 software releases and service packs.”
A video demonstrating an attack is available below. The researcher says that he used a phone connected to the test laptop, although the same effect can be achieved with a computer connected to the same network as the vulnerable phone.
Avaya’s strong recommendation is to use firewalls, access control lists (ACLs) and physical security to protect the assets on the network.
Philippe Laulheret described the road to finding the bugs in Avaya’s products at the DEF CON hacker conference in Las Vegas. The presentaion covers technical aspects required for hacking embedded devices as well as pointers for the tools and techniques used to access debugging information that leads to the compromise