Security experts at McAfee discovered that a stack-based buffer overflow flaw in the Dynamic Host Configuration Protocol (DHCP) client discovered and fixed ten years ago is still affecting several Avaya phones. The vulnerability, tracked as CVE-2009-0692, could be exploited by an attacker to crash the ISC DHCP client and execute arbitrary code with the permissions of the client.
The vulnerability could be exploited using a specially crafted DHCP response.
The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on UDP/IP networks whereby a DHCP server dynamically assigns an IP address and other network configuration parameters to each device on a network so they can communicate with other IP networks.
Avaya did not address the vulnerability issue in some of its VoIP devices by applying the necessary patches that were released after the discovery of the flaw in 2009.
“We were able to find the presence of a Remote Code Execution (RCE) vulnerability in a piece of open source software that Avaya likely copied and modified 10 years ago, and then failed to apply subsequent security patches to.” reads the analysis published by McAfee. “The bug affecting the open source software was reported in 2009, yet its presence in the phone’s firmware remained unnoticed until now. Only the H.323 software stack is affected (as opposed to the SIP stack that can also be used with these phones), and the Avaya Security Advisory (ASA) can be found here ASA-2019-128. “
The exploitation of this flaw could allow an attacker to take over the devices, exfiltrate audio from its speakerphone, and potentially use the phone to spy on the communications. The experts published a video of the attack conducted with the phone directly connected to an attacker’s laptop, anyway, it would also work via a connection to the same network as a vulnerable device.
Avaya addressed the issue with the release of new firmware on June 25.
Affected models are 9600 Series, J100 Series or B189 running firmware version 6.8.1 and earlier and using H.323 firmware (SIP versions are not affected).
Users can determine which firmware version their phone is using in the “About Avaya IP Deskphone” screen under the Home menu.
“IoT and embedded devices tend to blend into our environment, in some cases not warranting a second thought about the security and privacy risks they pose. In this case, with a minimal hardware investment and free software, we were able to uncover a critical bug that remained out-of-sight for more than a decade,” McAfee concluded.
(SecurityAffairs – Avaya, hacking)