Who can ever forget of Avaya phones and its near-monopoly of the corporate communication equipment market for Fortune 100 companies pre-Skype? As software VOIP solutions matured, companies are slowly but surely migrating away from hardware-based VOIP phones, including Avaya. For the last 10 years that Avaya ruled the offices, it harbored a remote code execution vulnerability that was abused by cybercriminals like a long-term zero-day exploit. The part of the firmware that had the flaw is open source software, it was reported as a bug in 2009. Unfortunately, the report failed to lure the attention of Avaya developers, it went unnoticed for a decade while the cybercriminals were stealing conversations off it for ages.
The affected devices are the J100, B100 and Avaya 9600 series of hard phones, as reported by Philippe Laulheret, who works as a McAfee security researcher. The mentioned models used the h.323 software stack which enabled SIP (Session Initiation Protocol) configuration to work on Avaya devices. The security flaw was recorded under CVE-2009-0692, describing that the bug is triggered by utilizing a malformed DHCP feedback to the phone’s DHCP client. Laulheret and his team at McAfee posted a short proof-of-concept video in Youtube in order to highlight the degree of danger this 10-year old bug posed against the unsuspecting victims.
All it takes for someone to abuse the flaw is to be in the same network as the affected Avaya phone. The same flaw can be taken advantage of even if the attacker entered the network through a VPN connection. The firmware updates that finally fixes the remote code execution bug was only released by Avaya last June 25. The update will overwrite the previous service packs installed on the phone, closing the flaw for good. However, there are millions of such devices deployed in many corporate offices, it is still unknown if all affected hard phones can be updated.
“A malicious DHCP server could send such an option with a specially-crafted value to a DHCP client. If this option’s value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process,” explained Laulheret, as he demonstrated the bug in the recently heldLas Vegas DEF CON hacker conference.
Open-source software is hailed as having the capability to be patched by just about anyone, submit the code for approval. However, the challenge, in this case, is the bug is embedded in firmware, only Ayava has the infrastructure to push the updated code to individual phones. Until such time that the update is pushed to individual phones, the only hope is for companies’ implementation of a strong firewall that separates their internal network from the Internet. SOHO (Small Office Home Office) installations that use Avaya are more at risk, given that in those types of Internet setup, the computers are directly plugged to the modem supplied by their respective ISPs.
The researchers have no knowledge of how much audio data were stolen from phone conversations due to the exploitation of the decade-old bug. We will publish a follow-up article once more information becomes available.