Decade-old unpatched RCE bug in Avaya VoIP phone impacts Fortune 500 companies

• The vulnerability impacts Avaya 9600 series IP Deskphone, although J100 Series IP Phones and B100 Series Conference Phones (B189) also include the vulnerable package.
• The vulnerability is tracked as CVE-2009-0692.

A remote code execution bug in Avaya VoIP phone, used by 90 percent of Fortune 500 companies, went unnoticed for 10 years until it was patched recently. The vulnerability is tracked as CVE-2009-0692.

What’s the matter?

The security flaw was revealed at the Black Hat conference by Philippe Laulhert, a security analyst at McAfee. The vulnerability impacts Avaya 9600 series IP Deskphone, although J100 Series IP Phones and B100 Series Conference Phones (B189) also include the vulnerable package. The flaw can be abused to gain access to a root shell on the phone. It can also allow an attacker to reverse-engineer the file on the phone.

Laulhert noted that the age of the code is a ‘big red flag’.

What is the vulnerability?

The CVE-2009-0692 is a stack overflow buffer vulnerability that exists in the ISP Dynamic Host Configuration Protocol (DHCP) client. It affects the models with the H.323 software stack.

The flaw has received a score of 10 on the CVSS severity scale. Avaya’s advisory states that, "if the DHCP client were to receive a malicious DHCP response, it could crash or execute arbitrary code with the permissions of the client (root)."

Meanwhile, McAfee says that attackers could leverage the RCE vulnerability to hijack a phone’s normal operations and steal audio. While the attack could be performed by directly connecting to a laptop, it could also be triggered as long as there is a network connection to the target phone.

Mitigation

Avaya fixed the problem in a firmware update released on June 25, 2019.The users have been asked to upgrade 9600 Series IP Deskphones, J100 Series IP Phones and B100 Series Conference to versions 6.8.2 or later in order to address the issue.