Decade-old remote code execution bug found in phones used by Fortune 500

The firmware vulnerability lurked undetected for ten years.
Written by Charlie Osborne, Contributing Writer

A decade-old remote code execution vulnerability in the firmware of enterprise desk phones has been discovered by researchers.

On Thursday at Black Hat USA in Las Vegas, Nevada, McAfee researchers revealed the existence of the security flaw in a desk phone developed by Avaya, a VOIP solution provider and vendor for business desk phones. 

According to Avaya, 90 percent of Fortune 500 companies are signed up to its services (.PDF), including the usage of desk phones including the Avaya 9600 series IP model.

It is this particular device that caught the interest of researchers including Philippe Laulheret, who found a severe remote code execution (RCE) vulnerability present in an open-source component within the phone's firmware. 

McAfee says this part of the software was likely "copied and modified 10 years ago" by Avaya, but as we know, open-source software requires the same patches and security monitoring as proprietary hardware. 

This is where the issue lies: the open-source module was implemented but never patched. Indeed, the bug in question was reported back in 2009 and remained in the Avaya 9600 until the present day. To make matters worse, an exploit for the vulnerability has been floating around the Internet for years. 

See also: Smominru hijacks half a million PCs to mine cryptocurrency, steals access data for Dark Web sale

Tracked as CVE-2009-0692, the stack overflow buffer vulnerability exists in the ISC DHCP client. Avaya says that "if the DHCP client were to receive a malicious DHCP response, it could crash or execute arbitrary code with the permissions of the client (root)."

The H.323 software stack, rather than the phone's SIP stack, is affected, and a lack of proper sanitation by the DHCP client daemon for certain options caused the issue. 

CNET: Hardware vulnerability bypasses Spectre and Meltdown patches
McAfee says that attackers could leverage the RCE to hijack a phone's normal operations, extract and steal audio, and "bug" a device for surveillance purposes. While the attack could be performed with a direct laptop link, it could also be triggered as long as there is a network connection to the target phone. 

Once McAfee found the vulnerability, Avaya was able to create and test a firmware update that contains a fix for the open-source component within two months. 

TechRepublic: 6 pillars of DevSecOps your business needs to know

A firmware update and disc image have now been published by Avaya. 

"In a large enterprise setting, it is pretty common to first have a testing phase where a new image is being deployed to selected devices to ensure no conflict arises from the deployment," the researchers say. "This explains why the timeline from the patch release to deployment to the whole fleet may take longer than what is typical in consumer-grade software."

ZDNet has reached out to Avaya and will update this article as and when the company responds. 

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards